mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-09 17:37:12 +00:00
Code Activity
kyverno/pkg/controllers/generic/webhook/controller.go

311 lines
10 KiB
Go
Raw Normal View History

feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
package webhook
import (
"context"
"fmt"
"time"
"github.com/go-logr/logr"
refactor: move kyverno constants out of v1 package (#7760) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-07-06 10:00:36 +02:00
"github.com/kyverno/kyverno/api/kyverno"
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
"github.com/kyverno/kyverno/pkg/config"
"github.com/kyverno/kyverno/pkg/controllers"
"github.com/kyverno/kyverno/pkg/logging"
"github.com/kyverno/kyverno/pkg/tls"
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
feat: delete webhook configurations after kyverno is uninstalled (#10782) * feat: delete webhook configurations after kyverno is uninstalled Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: optionally add permissions Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: disable finalizers in latest manifest Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: move webhook cleanup to webhooks controller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers on deployment Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: refactor Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add roles to cleanupcontroller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add cleanup to generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add webhook cleanup in generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: remove unnecessary clusterrole and clusterrole bindings Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: make this behaviour opt-in Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: reconcile webhook setup on deployment change Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update codegen and remove unused vars Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers to chart Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-09-04 16:29:59 +05:30
runtimeutils "github.com/kyverno/kyverno/pkg/utils/runtime"
feat: webhook labels (#9015) Signed-off-by: Zadkiel Aharonian <hello@zadkiel.fr> Co-authored-by: shuting <shuting@nirmata.com>
2023-12-07 13:58:31 +01:00
"golang.org/x/exp/maps"
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
feat: delete webhook configurations after kyverno is uninstalled (#10782) * feat: delete webhook configurations after kyverno is uninstalled Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: optionally add permissions Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: disable finalizers in latest manifest Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: move webhook cleanup to webhooks controller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers on deployment Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: refactor Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add roles to cleanupcontroller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add cleanup to generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add webhook cleanup in generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: remove unnecessary clusterrole and clusterrole bindings Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: make this behaviour opt-in Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: reconcile webhook setup on deployment change Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update codegen and remove unused vars Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers to chart Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-09-04 16:29:59 +05:30
appsv1 "k8s.io/api/apps/v1"
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
admissionregistrationv1informers "k8s.io/client-go/informers/admissionregistration/v1"
feat: delete webhook configurations after kyverno is uninstalled (#10782) * feat: delete webhook configurations after kyverno is uninstalled Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: optionally add permissions Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: disable finalizers in latest manifest Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: move webhook cleanup to webhooks controller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers on deployment Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: refactor Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add roles to cleanupcontroller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add cleanup to generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add webhook cleanup in generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: remove unnecessary clusterrole and clusterrole bindings Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: make this behaviour opt-in Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: reconcile webhook setup on deployment change Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update codegen and remove unused vars Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers to chart Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-09-04 16:29:59 +05:30
appsv1informers "k8s.io/client-go/informers/apps/v1"
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
corev1informers "k8s.io/client-go/informers/core/v1"
admissionregistrationv1listers "k8s.io/client-go/listers/admissionregistration/v1"
feat: delete webhook configurations after kyverno is uninstalled (#10782) * feat: delete webhook configurations after kyverno is uninstalled Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: optionally add permissions Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: disable finalizers in latest manifest Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: move webhook cleanup to webhooks controller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers on deployment Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: refactor Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add roles to cleanupcontroller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add cleanup to generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add webhook cleanup in generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: remove unnecessary clusterrole and clusterrole bindings Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: make this behaviour opt-in Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: reconcile webhook setup on deployment change Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update codegen and remove unused vars Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers to chart Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-09-04 16:29:59 +05:30
appsv1listers "k8s.io/client-go/listers/apps/v1"
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
corev1listers "k8s.io/client-go/listers/core/v1"
"k8s.io/client-go/util/workqueue"
)
const (
fix: invoke cleanup process during shutdown (#5974) * invoke cleanup process during shutdown Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix shutdown cleanup Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix shutdown panic Signed-off-by: ShutingZhao <shuting@nirmata.com> * cleanup webhooks by the label Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2023-01-12 12:47:40 +08:00
maxRetries = 10
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
)
var (
feat: add ttl controller (#7821) * added the ttl controller Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fixed label and vars Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added logger Signed-off-by: Ved Ratan <vedratan8@gmail.com> * applied fixes Signed-off-by: Ved Ratan <vedratan8@gmail.com> * removed comments Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * more lint fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * applied changes Signed-off-by: Ved Ratan <vedratan8@gmail.com> * minor fixes Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix logger, separate parse logic Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added tests Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added kuttl tests, validation utilities Signed-off-by: Ved Ratan <vedratan8@gmail.com> * commented code Signed-off-by: Ved Ratan <vedratan8@gmail.com> * renamed tests Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix test Signed-off-by: Ved Ratan <vedratan8@gmail.com> * created log.go Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix log.go Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added README.md refactor code Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added validation webhook Signed-off-by: Ved Ratan <vedratan8@gmail.com> * label-validation fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added flag, updated verbs Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * updated verbs Signed-off-by: Ved Ratan <vedratan8@gmail.com> * updated helm chart Signed-off-by: Ved Ratan <vedratan8@gmail.com> * test fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * linter Signed-off-by: Ved Ratan <vedratan8@gmail.com> * imporoved webhook validation Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * linter fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * webhook names and path constants Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * constant label Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix label selector Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * kuttl test fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * helm docs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix controller logger Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: manager logger Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix failure policy Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * kuttl tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * move kuttl tests in separate job Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * remove rbac steps Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * remove configmaps from core cluster role Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix logger Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * rename flag Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * kuttl Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix error Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix linter Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Ved Ratan <vedratan8@gmail.com> Signed-off-by: Ved Ratan <82467006+VedRatan@users.noreply.github.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-08-02 20:17:40 +05:30
none = admissionregistrationv1.SideEffectClassNone
fail = admissionregistrationv1.Fail
ignore = admissionregistrationv1.Ignore
None = &none
Fail = &fail
Ignore = &ignore
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
)
type controller struct {
// clients
vwcClient controllerutils.ObjectClient[*admissionregistrationv1.ValidatingWebhookConfiguration]
// listers
feat: delete webhook configurations after kyverno is uninstalled (#10782) * feat: delete webhook configurations after kyverno is uninstalled Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: optionally add permissions Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: disable finalizers in latest manifest Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: move webhook cleanup to webhooks controller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers on deployment Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: refactor Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add roles to cleanupcontroller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add cleanup to generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add webhook cleanup in generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: remove unnecessary clusterrole and clusterrole bindings Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: make this behaviour opt-in Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: reconcile webhook setup on deployment change Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update codegen and remove unused vars Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers to chart Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-09-04 16:29:59 +05:30
vwcLister admissionregistrationv1listers.ValidatingWebhookConfigurationLister
secretLister corev1listers.SecretNamespaceLister
deploymentLister appsv1listers.DeploymentNamespaceLister
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
// queue
feat: bump to k8s 1.31 (#10938) * feat: bump to k8s 1.31 Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * tidy Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * mod Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix otel Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix otel schema Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update linter Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: fix image verification tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * linter issues Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cel change Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
2024-08-28 19:09:58 +02:00
queue workqueue.TypedRateLimitingInterface[any]
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
// config
feat: delete webhook configurations after kyverno is uninstalled (#10782) * feat: delete webhook configurations after kyverno is uninstalled Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: optionally add permissions Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: disable finalizers in latest manifest Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: move webhook cleanup to webhooks controller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers on deployment Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: refactor Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add roles to cleanupcontroller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add cleanup to generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add webhook cleanup in generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: remove unnecessary clusterrole and clusterrole bindings Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: make this behaviour opt-in Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: reconcile webhook setup on deployment change Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update codegen and remove unused vars Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers to chart Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-09-04 16:29:59 +05:30
controllerName string
logger logr.Logger
webhookName string
path string
server string
servicePort int32
rules []admissionregistrationv1.RuleWithOperations
failurePolicy *admissionregistrationv1.FailurePolicyType
sideEffects *admissionregistrationv1.SideEffectClass
runtime runtimeutils.Runtime
configuration config.Configuration
labelSelector *metav1.LabelSelector
caSecretName string
webhooksDeleted bool
autoDeleteWebhooks bool
webhookCleanupSetup func(context.Context, logr.Logger) error
postWebhookCleanup func(context.Context, logr.Logger) error
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
}
func NewController(
controllerName string,
vwcClient controllerutils.ObjectClient[*admissionregistrationv1.ValidatingWebhookConfiguration],
vwcInformer admissionregistrationv1informers.ValidatingWebhookConfigurationInformer,
secretInformer corev1informers.SecretInformer,
feat: delete webhook configurations after kyverno is uninstalled (#10782) * feat: delete webhook configurations after kyverno is uninstalled Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: optionally add permissions Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: disable finalizers in latest manifest Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: move webhook cleanup to webhooks controller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers on deployment Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: refactor Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add roles to cleanupcontroller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add cleanup to generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add webhook cleanup in generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: remove unnecessary clusterrole and clusterrole bindings Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: make this behaviour opt-in Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: reconcile webhook setup on deployment change Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update codegen and remove unused vars Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers to chart Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-09-04 16:29:59 +05:30
deploymentInformer appsv1informers.DeploymentInformer,
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
webhookName string,
path string,
server string,
fix: Overriding .Values.service.port doesn't work (#6118) * fix: Overriding .Values.service.port doesn't work Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-01-29 00:54:29 +01:00
servicePort int32,
Make server ports configurable, resolves #7279 (#7728) * Make server ports configurable, resolves #7279 Signed-off-by: Dirk Pahl <dirk.pahl@deutschebahn.com> * Make server ports configurable, resolves #7279 Signed-off-by: Dirk Pahl <dirk.pahl@deutschebahn.com> * Switch to flags instead of env vars Signed-off-by: Dirk Pahl <dirk.pahl@deutschebahn.com> * Could not use internal package in webhooks pkg Signed-off-by: Dirk Pahl <dirk.pahl@deutschebahn.com> * Add helm chart changes Signed-off-by: Dirk Pahl <dirk.pahl@deutschebahn.com> * make codegen-docs-all Signed-off-by: Dirk Pahl <dirk.pahl@deutschebahn.com> * make codegen-manifest-all Signed-off-by: Dirk Pahl <dirk.pahl@deutschebahn.com> --------- Signed-off-by: Dirk Pahl <dirk.pahl@deutschebahn.com> Co-authored-by: Dirk Pahl <dirk.pahl@deutschebahn.com> Co-authored-by: shuting <shuting@nirmata.com>
2023-11-17 15:19:53 +01:00
webhookServerPort int32,
feat: add ttl controller (#7821) * added the ttl controller Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fixed label and vars Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added logger Signed-off-by: Ved Ratan <vedratan8@gmail.com> * applied fixes Signed-off-by: Ved Ratan <vedratan8@gmail.com> * removed comments Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * more lint fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * applied changes Signed-off-by: Ved Ratan <vedratan8@gmail.com> * minor fixes Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix logger, separate parse logic Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added tests Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added kuttl tests, validation utilities Signed-off-by: Ved Ratan <vedratan8@gmail.com> * commented code Signed-off-by: Ved Ratan <vedratan8@gmail.com> * renamed tests Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix test Signed-off-by: Ved Ratan <vedratan8@gmail.com> * created log.go Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix log.go Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added README.md refactor code Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added validation webhook Signed-off-by: Ved Ratan <vedratan8@gmail.com> * label-validation fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added flag, updated verbs Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * updated verbs Signed-off-by: Ved Ratan <vedratan8@gmail.com> * updated helm chart Signed-off-by: Ved Ratan <vedratan8@gmail.com> * test fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * linter Signed-off-by: Ved Ratan <vedratan8@gmail.com> * imporoved webhook validation Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * linter fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * webhook names and path constants Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * constant label Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix label selector Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * kuttl test fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * helm docs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix controller logger Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: manager logger Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix failure policy Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * kuttl tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * move kuttl tests in separate job Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * remove rbac steps Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * remove configmaps from core cluster role Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix logger Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * rename flag Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * kuttl Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix error Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix linter Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Ved Ratan <vedratan8@gmail.com> Signed-off-by: Ved Ratan <82467006+VedRatan@users.noreply.github.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-08-02 20:17:40 +05:30
labelSelector *metav1.LabelSelector,
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
rules []admissionregistrationv1.RuleWithOperations,
failurePolicy *admissionregistrationv1.FailurePolicyType,
sideEffects *admissionregistrationv1.SideEffectClass,
fix: improve config management (#6808) * fix: improve config logs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * notification Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-04-06 21:13:32 +02:00
configuration config.Configuration,
feat: allow overriding ca and tls secret names (#8137) * feat: allow overriding ca and tls secret names Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-08-28 16:05:49 +02:00
caSecretName string,
feat: delete webhook configurations after kyverno is uninstalled (#10782) * feat: delete webhook configurations after kyverno is uninstalled Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: optionally add permissions Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: disable finalizers in latest manifest Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: move webhook cleanup to webhooks controller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers on deployment Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: refactor Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add roles to cleanupcontroller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add cleanup to generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add webhook cleanup in generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: remove unnecessary clusterrole and clusterrole bindings Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: make this behaviour opt-in Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: reconcile webhook setup on deployment change Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update codegen and remove unused vars Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers to chart Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-09-04 16:29:59 +05:30
runtime runtimeutils.Runtime,
autoDeleteWebhooks bool,
webhookCleanupSetup func(context.Context, logr.Logger) error,
postWebhookCleanup func(context.Context, logr.Logger) error,
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
) controllers.Controller {
chore: change controller rated limiting queue (#11509) Signed-off-by: Fleezesd <1253576349@qq.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-11-04 21:48:58 +08:00
queue := workqueue.NewTypedRateLimitingQueueWithConfig(
workqueue.DefaultTypedControllerRateLimiter[any](),
workqueue.TypedRateLimitingQueueConfig[any]{Name: controllerName},
)
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
c := controller{
feat: delete webhook configurations after kyverno is uninstalled (#10782) * feat: delete webhook configurations after kyverno is uninstalled Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: optionally add permissions Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: disable finalizers in latest manifest Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: move webhook cleanup to webhooks controller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers on deployment Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: refactor Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add roles to cleanupcontroller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add cleanup to generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add webhook cleanup in generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: remove unnecessary clusterrole and clusterrole bindings Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: make this behaviour opt-in Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: reconcile webhook setup on deployment change Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update codegen and remove unused vars Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers to chart Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-09-04 16:29:59 +05:30
vwcClient: vwcClient,
vwcLister: vwcInformer.Lister(),
secretLister: secretInformer.Lister().Secrets(config.KyvernoNamespace()),
deploymentLister: deploymentInformer.Lister().Deployments(config.KyvernoNamespace()),
queue: queue,
controllerName: controllerName,
logger: logging.ControllerLogger(controllerName),
webhookName: webhookName,
path: path,
server: server,
servicePort: servicePort,
rules: rules,
failurePolicy: failurePolicy,
sideEffects: sideEffects,
configuration: configuration,
labelSelector: labelSelector,
caSecretName: caSecretName,
runtime: runtime,
autoDeleteWebhooks: autoDeleteWebhooks,
webhookCleanupSetup: webhookCleanupSetup,
postWebhookCleanup: postWebhookCleanup,
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
}
fix: propagate registration and error in controllerutils pkg (#8192) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-08-31 22:08:29 +02:00
if _, _, err := controllerutils.AddDefaultEventHandlers(c.logger, vwcInformer.Informer(), queue); err != nil {
fix typo (#8399) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2023-09-14 16:52:24 +03:00
c.logger.Error(err, "failed to register event handlers")
fix: propagate registration and error in controllerutils pkg (#8192) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-08-31 22:08:29 +02:00
}
if _, err := controllerutils.AddEventHandlersT(
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
secretInformer.Informer(),
func(obj *corev1.Secret) {
feat: allow overriding ca and tls secret names (#8137) * feat: allow overriding ca and tls secret names Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-08-28 16:05:49 +02:00
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == caSecretName {
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
c.enqueue()
}
},
func(_, obj *corev1.Secret) {
feat: allow overriding ca and tls secret names (#8137) * feat: allow overriding ca and tls secret names Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-08-28 16:05:49 +02:00
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == caSecretName {
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
c.enqueue()
}
},
func(obj *corev1.Secret) {
feat: allow overriding ca and tls secret names (#8137) * feat: allow overriding ca and tls secret names Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-08-28 16:05:49 +02:00
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == caSecretName {
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
c.enqueue()
}
},
fix: propagate registration and error in controllerutils pkg (#8192) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-08-31 22:08:29 +02:00
); err != nil {
fix typo (#8399) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2023-09-14 16:52:24 +03:00
c.logger.Error(err, "failed to register event handlers")
fix: propagate registration and error in controllerutils pkg (#8192) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-08-31 22:08:29 +02:00
}
feat: delete webhook configurations after kyverno is uninstalled (#10782) * feat: delete webhook configurations after kyverno is uninstalled Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: optionally add permissions Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: disable finalizers in latest manifest Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: move webhook cleanup to webhooks controller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers on deployment Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: refactor Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add roles to cleanupcontroller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add cleanup to generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add webhook cleanup in generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: remove unnecessary clusterrole and clusterrole bindings Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: make this behaviour opt-in Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: reconcile webhook setup on deployment change Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update codegen and remove unused vars Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers to chart Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-09-04 16:29:59 +05:30
if autoDeleteWebhooks {
if _, err := controllerutils.AddEventHandlersT(
deploymentInformer.Informer(),
func(obj *appsv1.Deployment) {
},
func(_, obj *appsv1.Deployment) {
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.KyvernoDeploymentName() {
c.enqueueCleanupAfter(1 * time.Second)
}
},
func(obj *appsv1.Deployment) {
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.KyvernoDeploymentName() {
c.enqueueCleanup()
}
},
); err != nil {
c.logger.Error(err, "failed to register event handlers")
}
}
fix: improve config management (#6808) * fix: improve config logs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * notification Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-04-06 21:13:32 +02:00
configuration.OnChanged(c.enqueue)
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
return &c
}
func (c *controller) Run(ctx context.Context, workers int) {
fix: make webhook cleanup setup optional and add cleanup ci test (#11077) * fix: make webhook cleanup setup optional and add cleanup ci test Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: add logging Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: add validating webhook count check Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-09-11 12:08:45 +05:30
if c.autoDeleteWebhooks {
if err := c.webhookCleanupSetup(ctx, c.logger); err != nil {
c.logger.Error(err, "failed to setup webhook cleanup")
}
feat: delete webhook configurations after kyverno is uninstalled (#10782) * feat: delete webhook configurations after kyverno is uninstalled Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: optionally add permissions Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: disable finalizers in latest manifest Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: move webhook cleanup to webhooks controller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers on deployment Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: refactor Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add roles to cleanupcontroller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add cleanup to generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add webhook cleanup in generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: remove unnecessary clusterrole and clusterrole bindings Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: make this behaviour opt-in Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: reconcile webhook setup on deployment change Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update codegen and remove unused vars Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers to chart Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-09-04 16:29:59 +05:30
}
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
c.enqueue()
controllerutils.Run(ctx, c.logger, c.controllerName, time.Second, c.queue, workers, maxRetries, c.reconcile)
}
func (c *controller) enqueue() {
c.queue.Add(c.webhookName)
}
feat: delete webhook configurations after kyverno is uninstalled (#10782) * feat: delete webhook configurations after kyverno is uninstalled Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: optionally add permissions Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: disable finalizers in latest manifest Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: move webhook cleanup to webhooks controller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers on deployment Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: refactor Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add roles to cleanupcontroller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add cleanup to generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add webhook cleanup in generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: remove unnecessary clusterrole and clusterrole bindings Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: make this behaviour opt-in Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: reconcile webhook setup on deployment change Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update codegen and remove unused vars Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers to chart Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-09-04 16:29:59 +05:30
func (c *controller) enqueueCleanup() {
c.queue.Add(config.KyvernoDeploymentName())
}
func (c *controller) enqueueCleanupAfter(duration time.Duration) {
c.queue.AddAfter(config.KyvernoDeploymentName(), duration)
}
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _, _ string) error {
feat: delete webhook configurations after kyverno is uninstalled (#10782) * feat: delete webhook configurations after kyverno is uninstalled Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: optionally add permissions Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: disable finalizers in latest manifest Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: move webhook cleanup to webhooks controller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers on deployment Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: refactor Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add roles to cleanupcontroller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add cleanup to generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add webhook cleanup in generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: remove unnecessary clusterrole and clusterrole bindings Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: make this behaviour opt-in Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: reconcile webhook setup on deployment change Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update codegen and remove unused vars Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers to chart Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-09-04 16:29:59 +05:30
if c.autoDeleteWebhooks && c.runtime.IsGoingDown() {
return c.reconcileWebhookDeletion(ctx)
}
if c.autoDeleteWebhooks && key == config.KyvernoDeploymentName() {
return c.reconcileWebhookDeletion(ctx)
}
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
if key != c.webhookName {
return nil
}
feat: allow overriding ca and tls secret names (#8137) * feat: allow overriding ca and tls secret names Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-08-28 16:05:49 +02:00
caData, err := tls.ReadRootCASecret(c.caSecretName, config.KyvernoNamespace(), c.secretLister)
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
if err != nil {
return err
}
fix: improve config management (#6808) * fix: improve config logs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * notification Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-04-06 21:13:32 +02:00
desired, err := c.build(c.configuration, caData)
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
if err != nil {
return err
}
observed, err := c.vwcLister.Get(desired.Name)
if err != nil {
if apierrors.IsNotFound(err) {
_, err := c.vwcClient.Create(ctx, desired, metav1.CreateOptions{})
return err
}
return err
}
_, err = controllerutils.Update(ctx, observed, c.vwcClient, func(w *admissionregistrationv1.ValidatingWebhookConfiguration) error {
w.Labels = desired.Labels
feat: add webhook annotations support in config map (#6579) * feat: add webhook annotations support in config map Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * release notes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * example Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-03-15 14:17:37 +01:00
w.Annotations = desired.Annotations
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
w.OwnerReferences = desired.OwnerReferences
w.Webhooks = desired.Webhooks
return nil
})
return err
}
feat: delete webhook configurations after kyverno is uninstalled (#10782) * feat: delete webhook configurations after kyverno is uninstalled Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: optionally add permissions Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: disable finalizers in latest manifest Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: move webhook cleanup to webhooks controller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers on deployment Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: refactor Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add roles to cleanupcontroller Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add cleanup to generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add webhook cleanup in generic controllers Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: remove unnecessary clusterrole and clusterrole bindings Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: make this behaviour opt-in Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: reconcile webhook setup on deployment change Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update codegen and remove unused vars Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add finalizers to chart Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-09-04 16:29:59 +05:30
func (c *controller) reconcileWebhookDeletion(ctx context.Context) error {
if c.autoDeleteWebhooks {
if c.runtime.IsGoingDown() {
if c.webhooksDeleted {
return nil
}
c.webhooksDeleted = true
if err := c.vwcClient.Delete(ctx, c.webhookName, metav1.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) {
c.logger.Error(err, "failed to clean up validating webhook configuration", "label", kyverno.LabelWebhookManagedBy)
return err
} else if err == nil {
c.logger.Info("successfully deleted validating webhook configurations", "label", kyverno.LabelWebhookManagedBy)
}
if err := c.postWebhookCleanup(ctx, c.logger); err != nil {
c.logger.Error(err, "failed to clean up temporary rbac")
return err
} else {
c.logger.Info("successfully deleted temporary rbac")
}
} else {
if err := c.webhookCleanupSetup(ctx, c.logger); err != nil {
c.logger.Error(err, "failed to reconcile webhook cleanup setup")
return err
}
c.logger.Info("reconciled webhook cleanup setup")
}
}
return nil
}
feat: webhook labels (#9015) Signed-off-by: Zadkiel Aharonian <hello@zadkiel.fr> Co-authored-by: shuting <shuting@nirmata.com>
2023-12-07 13:58:31 +01:00
func objectMeta(name string, annotations map[string]string, labels map[string]string, owner ...metav1.OwnerReference) metav1.ObjectMeta {
desiredLabels := make(map[string]string)
defaultLabels := map[string]string{
kyverno.LabelWebhookManagedBy: kyverno.ValueKyvernoApp,
}
maps.Copy(desiredLabels, labels)
maps.Copy(desiredLabels, defaultLabels)
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
return metav1.ObjectMeta{
feat: webhook labels (#9015) Signed-off-by: Zadkiel Aharonian <hello@zadkiel.fr> Co-authored-by: shuting <shuting@nirmata.com>
2023-12-07 13:58:31 +01:00
Name: name,
Labels: desiredLabels,
feat: add webhook annotations support in config map (#6579) * feat: add webhook annotations support in config map Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * release notes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * example Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-03-15 14:17:37 +01:00
Annotations: annotations,
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
OwnerReferences: owner,
}
}
feat: add webhook annotations support in config map (#6579) * feat: add webhook annotations support in config map Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * release notes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * example Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-03-15 14:17:37 +01:00
func (c *controller) build(cfg config.Configuration, caBundle []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
return &admissionregistrationv1.ValidatingWebhookConfiguration{
feat: webhook labels (#9015) Signed-off-by: Zadkiel Aharonian <hello@zadkiel.fr> Co-authored-by: shuting <shuting@nirmata.com>
2023-12-07 13:58:31 +01:00
ObjectMeta: objectMeta(c.webhookName, cfg.GetWebhookAnnotations(), cfg.GetWebhookLabels()),
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
Webhooks: []admissionregistrationv1.ValidatingWebhook{{
Name: fmt.Sprintf("%s.%s.svc", config.KyvernoServiceName(), config.KyvernoNamespace()),
ClientConfig: c.clientConfig(caBundle),
Rules: c.rules,
FailurePolicy: c.failurePolicy,
SideEffects: c.sideEffects,
AdmissionReviewVersions: []string{"v1"},
feat: add ttl controller (#7821) * added the ttl controller Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fixed label and vars Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added logger Signed-off-by: Ved Ratan <vedratan8@gmail.com> * applied fixes Signed-off-by: Ved Ratan <vedratan8@gmail.com> * removed comments Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * more lint fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * applied changes Signed-off-by: Ved Ratan <vedratan8@gmail.com> * minor fixes Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix logger, separate parse logic Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added tests Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added kuttl tests, validation utilities Signed-off-by: Ved Ratan <vedratan8@gmail.com> * commented code Signed-off-by: Ved Ratan <vedratan8@gmail.com> * renamed tests Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix test Signed-off-by: Ved Ratan <vedratan8@gmail.com> * created log.go Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix log.go Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added README.md refactor code Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added validation webhook Signed-off-by: Ved Ratan <vedratan8@gmail.com> * label-validation fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added flag, updated verbs Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * updated verbs Signed-off-by: Ved Ratan <vedratan8@gmail.com> * updated helm chart Signed-off-by: Ved Ratan <vedratan8@gmail.com> * test fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * linter Signed-off-by: Ved Ratan <vedratan8@gmail.com> * imporoved webhook validation Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * linter fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * webhook names and path constants Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * constant label Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix label selector Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * kuttl test fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * helm docs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix controller logger Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: manager logger Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix failure policy Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * kuttl tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * move kuttl tests in separate job Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * remove rbac steps Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * remove configmaps from core cluster role Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix logger Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * rename flag Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * kuttl Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix error Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix linter Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Ved Ratan <vedratan8@gmail.com> Signed-off-by: Ved Ratan <82467006+VedRatan@users.noreply.github.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-08-02 20:17:40 +05:30
ObjectSelector: c.labelSelector,
feat: add match conditions support in webhooks (#8042) * feat: add match conditions support in webhooks Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chart Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * release notes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * changelog Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix configmap Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * warning Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2023-08-18 10:32:15 +02:00
MatchConditions: cfg.GetMatchConditions(),
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
}},
},
nil
}
func (c *controller) clientConfig(caBundle []byte) admissionregistrationv1.WebhookClientConfig {
clientConfig := admissionregistrationv1.WebhookClientConfig{
CABundle: caBundle,
}
if c.server == "" {
clientConfig.Service = &admissionregistrationv1.ServiceReference{
Namespace: config.KyvernoNamespace(),
Name: config.KyvernoServiceName(),
Path: &c.path,
fix: Overriding .Values.service.port doesn't work (#6118) * fix: Overriding .Values.service.port doesn't work Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-01-29 00:54:29 +01:00
Port: &c.servicePort,
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-12-15 09:34:44 +01:00
}
} else {
url := fmt.Sprintf("https://%s%s", c.server, c.path)
clientConfig.URL = &url
}
return clientConfig
}
Copy permalink