2019-11-18 11:41:37 -08:00
|
|
|
/*
|
|
|
|
|
Cleans up stale webhookconfigurations created by kyverno that were not cleanedup
|
|
|
|
|
*/
|
|
|
|
|
package main
|
|
|
|
|
|
|
|
|
|
import (
|
2021-10-06 14:25:38 -04:00
|
|
|
"context"
|
2022-05-29 09:27:14 +02:00
|
|
|
"encoding/json"
|
2019-11-18 11:41:37 -08:00
|
|
|
"os"
|
|
|
|
|
"sync"
|
2019-12-16 12:55:44 -08:00
|
|
|
"time"
|
2019-11-18 11:41:37 -08:00
|
|
|
|
2022-05-17 13:12:43 +02:00
|
|
|
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
2022-11-18 15:21:15 +01:00
|
|
|
"github.com/kyverno/kyverno/cmd/internal"
|
2022-04-29 19:05:49 +08:00
|
|
|
kyvernoclient "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
|
2022-08-31 14:03:47 +08:00
|
|
|
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
2021-10-06 14:25:38 -04:00
|
|
|
"github.com/kyverno/kyverno/pkg/config"
|
2021-10-07 04:42:07 +05:30
|
|
|
"github.com/kyverno/kyverno/pkg/leaderelection"
|
2022-10-02 20:45:03 +01:00
|
|
|
"github.com/kyverno/kyverno/pkg/logging"
|
2022-01-11 14:17:24 +05:30
|
|
|
"github.com/kyverno/kyverno/pkg/tls"
|
2020-10-07 11:12:31 -07:00
|
|
|
"github.com/kyverno/kyverno/pkg/utils"
|
2022-08-02 07:54:02 -07:00
|
|
|
"go.uber.org/multierr"
|
2022-05-29 09:27:14 +02:00
|
|
|
admissionv1 "k8s.io/api/admission/v1"
|
2022-05-17 16:14:31 +02:00
|
|
|
coordinationv1 "k8s.io/api/coordination/v1"
|
2019-11-18 11:41:37 -08:00
|
|
|
"k8s.io/apimachinery/pkg/api/errors"
|
2022-04-26 22:18:14 +02:00
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
2022-04-29 19:05:49 +08:00
|
|
|
"k8s.io/client-go/kubernetes"
|
2019-11-18 11:41:37 -08:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
2022-09-28 13:45:16 +02:00
|
|
|
policyReportKind string = "PolicyReport"
|
|
|
|
|
clusterPolicyReportKind string = "ClusterPolicyReport"
|
|
|
|
|
convertGenerateRequest string = "ConvertGenerateRequest"
|
2019-11-18 11:41:37 -08:00
|
|
|
)
|
|
|
|
|
|
2022-10-02 20:45:03 +01:00
|
|
|
func main() {
|
2022-11-18 15:21:15 +01:00
|
|
|
// config
|
2022-11-23 11:36:15 +01:00
|
|
|
appConfig := internal.NewConfiguration(
|
|
|
|
|
internal.WithKubeconfig(),
|
|
|
|
|
)
|
2022-10-02 20:45:03 +01:00
|
|
|
// parse flags
|
2022-11-24 20:57:01 +01:00
|
|
|
internal.ParseFlags(appConfig)
|
2022-10-02 20:45:03 +01:00
|
|
|
// setup logger
|
2022-11-18 15:21:15 +01:00
|
|
|
// show version
|
2022-11-24 20:57:01 +01:00
|
|
|
// start profiling
|
|
|
|
|
// setup signals
|
|
|
|
|
// setup maxprocs
|
2022-11-29 10:16:07 +01:00
|
|
|
ctx, logger, _, sdown := internal.Setup()
|
2022-11-24 20:57:01 +01:00
|
|
|
defer sdown()
|
|
|
|
|
// create clients
|
2022-11-23 11:36:15 +01:00
|
|
|
kubeClient := internal.CreateKubernetesClient(logger)
|
|
|
|
|
dynamicClient := internal.CreateDynamicClient(logger)
|
|
|
|
|
kyvernoClient := internal.CreateKyvernoClient(logger)
|
2022-11-29 10:16:07 +01:00
|
|
|
client := internal.CreateDClient(logger, ctx, dynamicClient, kubeClient, 15*time.Minute)
|
2020-02-14 18:12:28 -08:00
|
|
|
// Exit for unsupported version of kubernetes cluster
|
2022-10-02 20:45:03 +01:00
|
|
|
if !utils.HigherThanKubernetesVersion(kubeClient.Discovery(), logging.GlobalLogger(), 1, 16, 0) {
|
2020-05-18 17:00:52 -07:00
|
|
|
os.Exit(1)
|
|
|
|
|
}
|
2019-11-18 11:41:37 -08:00
|
|
|
requests := []request{
|
2022-05-10 17:50:04 +02:00
|
|
|
{policyReportKind},
|
|
|
|
|
{clusterPolicyReportKind},
|
|
|
|
|
{convertGenerateRequest},
|
2019-11-18 11:41:37 -08:00
|
|
|
}
|
|
|
|
|
|
2021-10-07 04:42:07 +05:30
|
|
|
go func() {
|
2022-11-24 20:57:01 +01:00
|
|
|
defer sdown()
|
|
|
|
|
<-ctx.Done()
|
2021-10-07 04:42:07 +05:30
|
|
|
}()
|
|
|
|
|
|
2019-11-18 11:41:37 -08:00
|
|
|
done := make(chan struct{})
|
|
|
|
|
defer close(done)
|
|
|
|
|
failure := false
|
2021-10-07 04:42:07 +05:30
|
|
|
|
2022-10-05 12:19:50 +02:00
|
|
|
run := func(context.Context) {
|
2022-05-11 16:58:14 +02:00
|
|
|
name := tls.GenerateRootCASecretName()
|
2022-11-29 10:16:07 +01:00
|
|
|
_, err := kubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{})
|
2022-01-11 14:17:24 +05:30
|
|
|
if err != nil {
|
2022-10-02 20:45:03 +01:00
|
|
|
logging.V(2).Info("failed to fetch root CA secret", "name", name, "error", err.Error())
|
2022-01-11 14:17:24 +05:30
|
|
|
if !errors.IsNotFound(err) {
|
|
|
|
|
os.Exit(1)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-11 16:58:14 +02:00
|
|
|
name = tls.GenerateTLSPairSecretName()
|
|
|
|
|
_, err = kubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{})
|
2022-01-11 14:17:24 +05:30
|
|
|
if err != nil {
|
2022-10-02 20:45:03 +01:00
|
|
|
logging.V(2).Info("failed to fetch TLS Pair secret", "name", name, "error", err.Error())
|
2022-01-11 14:17:24 +05:30
|
|
|
if !errors.IsNotFound(err) {
|
|
|
|
|
os.Exit(1)
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-10-07 04:42:07 +05:30
|
|
|
|
2022-11-24 20:57:01 +01:00
|
|
|
if err = acquireLeader(ctx, kubeClient); err != nil {
|
2022-10-02 20:45:03 +01:00
|
|
|
logging.V(2).Info("Failed to create lease 'kyvernopre-lock'")
|
2022-04-29 19:05:49 +08:00
|
|
|
os.Exit(1)
|
2021-10-07 04:42:07 +05:30
|
|
|
}
|
|
|
|
|
|
2022-09-30 10:12:21 +02:00
|
|
|
// use pipeline to pass request to cleanup resources
|
2022-11-24 20:57:01 +01:00
|
|
|
in := gen(done, ctx.Done(), requests...)
|
2021-10-07 04:42:07 +05:30
|
|
|
// process requests
|
|
|
|
|
// processing routine count : 2
|
2022-11-24 20:57:01 +01:00
|
|
|
p1 := process(client, kyvernoClient, done, ctx.Done(), in)
|
|
|
|
|
p2 := process(client, kyvernoClient, done, ctx.Done(), in)
|
2021-10-07 04:42:07 +05:30
|
|
|
// merge results from processing routines
|
2022-11-24 20:57:01 +01:00
|
|
|
for err := range merge(done, ctx.Done(), p1, p2) {
|
2021-10-07 04:42:07 +05:30
|
|
|
if err != nil {
|
|
|
|
|
failure = true
|
2022-10-02 20:45:03 +01:00
|
|
|
logging.Error(err, "failed to cleanup resource")
|
2021-10-07 04:42:07 +05:30
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
// if there is any failure then we fail process
|
|
|
|
|
if failure {
|
2022-10-02 20:45:03 +01:00
|
|
|
logging.V(2).Info("failed to cleanup prior configurations")
|
2021-10-07 04:42:07 +05:30
|
|
|
os.Exit(1)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
os.Exit(0)
|
2019-11-18 11:41:37 -08:00
|
|
|
}
|
2021-01-24 11:34:02 -08:00
|
|
|
|
2022-10-05 12:19:50 +02:00
|
|
|
le, err := leaderelection.New(
|
|
|
|
|
logging.WithName("kyvernopre/LeaderElection"),
|
|
|
|
|
"kyvernopre",
|
|
|
|
|
config.KyvernoNamespace(),
|
|
|
|
|
kubeClient,
|
|
|
|
|
config.KyvernoPodName(),
|
2022-11-09 12:37:00 +01:00
|
|
|
leaderelection.DefaultRetryPeriod,
|
2022-10-05 12:19:50 +02:00
|
|
|
run,
|
|
|
|
|
nil,
|
|
|
|
|
)
|
2021-10-07 04:42:07 +05:30
|
|
|
if err != nil {
|
2022-11-18 15:21:15 +01:00
|
|
|
logger.Error(err, "failed to elect a leader")
|
2019-11-18 11:41:37 -08:00
|
|
|
os.Exit(1)
|
|
|
|
|
}
|
2021-10-07 04:42:07 +05:30
|
|
|
|
2022-11-24 20:57:01 +01:00
|
|
|
le.Run(ctx)
|
2019-11-18 11:41:37 -08:00
|
|
|
}
|
|
|
|
|
|
2022-04-29 19:05:49 +08:00
|
|
|
func acquireLeader(ctx context.Context, kubeClient kubernetes.Interface) error {
|
2022-05-11 08:14:30 +02:00
|
|
|
_, err := kubeClient.CoordinationV1().Leases(config.KyvernoNamespace()).Get(ctx, "kyvernopre-lock", metav1.GetOptions{})
|
2022-04-29 19:05:49 +08:00
|
|
|
if err != nil {
|
2022-10-02 20:45:03 +01:00
|
|
|
logging.V(2).Info("Lease 'kyvernopre-lock' not found. Starting clean-up...")
|
2022-04-29 19:05:49 +08:00
|
|
|
} else {
|
2022-10-02 20:45:03 +01:00
|
|
|
logging.V(2).Info("Leader was elected, quitting")
|
2022-04-29 19:05:49 +08:00
|
|
|
os.Exit(0)
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-17 16:14:31 +02:00
|
|
|
lease := coordinationv1.Lease{
|
2022-04-29 19:05:49 +08:00
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
|
Name: "kyvernopre-lock",
|
|
|
|
|
},
|
|
|
|
|
}
|
2022-05-11 08:14:30 +02:00
|
|
|
_, err = kubeClient.CoordinationV1().Leases(config.KyvernoNamespace()).Create(ctx, &lease, metav1.CreateOptions{})
|
2022-04-29 19:05:49 +08:00
|
|
|
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-17 16:40:51 +02:00
|
|
|
func executeRequest(client dclient.Interface, kyvernoclient kyvernoclient.Interface, req request) error {
|
2020-11-09 11:26:12 -08:00
|
|
|
switch req.kind {
|
2022-04-29 19:05:49 +08:00
|
|
|
case convertGenerateRequest:
|
|
|
|
|
return convertGR(kyvernoclient)
|
2019-11-18 11:41:37 -08:00
|
|
|
}
|
2021-01-24 11:34:02 -08:00
|
|
|
|
2019-11-18 11:41:37 -08:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type request struct {
|
|
|
|
|
kind string
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Processing Pipeline
|
|
|
|
|
-> Process Requests
|
|
|
|
|
Generate Requests -> Process Requests -> Merge Results
|
|
|
|
|
-> Process Requests
|
|
|
|
|
- number of processes can be controlled
|
|
|
|
|
- stop processing on SIGTERM OR SIGNKILL signal
|
|
|
|
|
- stop processing if any process fails(supported)
|
|
|
|
|
*/
|
|
|
|
|
// Generates requests to be processed
|
|
|
|
|
func gen(done <-chan struct{}, stopCh <-chan struct{}, requests ...request) <-chan request {
|
|
|
|
|
out := make(chan request)
|
|
|
|
|
go func() {
|
|
|
|
|
defer close(out)
|
|
|
|
|
for _, req := range requests {
|
|
|
|
|
select {
|
|
|
|
|
case out <- req:
|
|
|
|
|
case <-done:
|
|
|
|
|
println("done generate")
|
|
|
|
|
return
|
|
|
|
|
case <-stopCh:
|
|
|
|
|
println("shutting down generate")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}()
|
|
|
|
|
return out
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// processes the requests
|
2022-05-17 16:40:51 +02:00
|
|
|
func process(client dclient.Interface, kyvernoclient kyvernoclient.Interface, done <-chan struct{}, stopCh <-chan struct{}, requests <-chan request) <-chan error {
|
2022-10-02 20:45:03 +01:00
|
|
|
logger := logging.WithName("process")
|
2019-11-18 11:41:37 -08:00
|
|
|
out := make(chan error)
|
|
|
|
|
go func() {
|
|
|
|
|
defer close(out)
|
|
|
|
|
for req := range requests {
|
|
|
|
|
select {
|
2022-04-29 19:05:49 +08:00
|
|
|
case out <- executeRequest(client, kyvernoclient, req):
|
2019-11-18 11:41:37 -08:00
|
|
|
case <-done:
|
2020-03-17 11:05:20 -07:00
|
|
|
logger.Info("done")
|
2019-11-18 11:41:37 -08:00
|
|
|
return
|
|
|
|
|
case <-stopCh:
|
2020-03-17 11:05:20 -07:00
|
|
|
logger.Info("shutting down")
|
2019-11-18 11:41:37 -08:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}()
|
|
|
|
|
return out
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// waits for all processes to be complete and merges result
|
|
|
|
|
func merge(done <-chan struct{}, stopCh <-chan struct{}, processes ...<-chan error) <-chan error {
|
2022-10-02 20:45:03 +01:00
|
|
|
logger := logging.WithName("merge")
|
2019-11-18 11:41:37 -08:00
|
|
|
var wg sync.WaitGroup
|
|
|
|
|
out := make(chan error)
|
|
|
|
|
// gets the output from each process
|
|
|
|
|
output := func(ch <-chan error) {
|
|
|
|
|
defer wg.Done()
|
|
|
|
|
for err := range ch {
|
|
|
|
|
select {
|
|
|
|
|
case out <- err:
|
|
|
|
|
case <-done:
|
2020-03-17 11:05:20 -07:00
|
|
|
logger.Info("done")
|
2019-11-18 11:41:37 -08:00
|
|
|
return
|
|
|
|
|
case <-stopCh:
|
2020-03-17 11:05:20 -07:00
|
|
|
logger.Info("shutting down")
|
2019-11-18 11:41:37 -08:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
wg.Add(len(processes))
|
|
|
|
|
for _, process := range processes {
|
|
|
|
|
go output(process)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// close when all the process goroutines are done
|
|
|
|
|
go func() {
|
|
|
|
|
wg.Wait()
|
|
|
|
|
close(out)
|
|
|
|
|
}()
|
|
|
|
|
return out
|
|
|
|
|
}
|
2020-11-09 11:26:12 -08:00
|
|
|
|
2022-05-02 22:30:07 +02:00
|
|
|
func convertGR(pclient kyvernoclient.Interface) error {
|
2022-10-02 20:45:03 +01:00
|
|
|
logger := logging.WithName("convertGenerateRequest")
|
2022-04-29 19:05:49 +08:00
|
|
|
|
|
|
|
|
var errors []error
|
2022-05-11 08:14:30 +02:00
|
|
|
grs, err := pclient.KyvernoV1().GenerateRequests(config.KyvernoNamespace()).List(context.TODO(), metav1.ListOptions{})
|
2022-04-29 19:05:49 +08:00
|
|
|
if err != nil {
|
|
|
|
|
logger.Error(err, "failed to list update requests")
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
for _, gr := range grs.Items {
|
2022-05-23 17:57:19 +02:00
|
|
|
cp := gr.DeepCopy()
|
2022-05-29 09:27:14 +02:00
|
|
|
var request *admissionv1.AdmissionRequest
|
|
|
|
|
if cp.Spec.Context.AdmissionRequestInfo.AdmissionRequest != "" {
|
|
|
|
|
var r admissionv1.AdmissionRequest
|
|
|
|
|
err := json.Unmarshal([]byte(cp.Spec.Context.AdmissionRequestInfo.AdmissionRequest), &r)
|
|
|
|
|
if err != nil {
|
|
|
|
|
logger.Error(err, "failed to unmarshal admission request")
|
|
|
|
|
errors = append(errors, err)
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-05-17 13:12:43 +02:00
|
|
|
ur := &kyvernov1beta1.UpdateRequest{
|
2022-04-29 19:05:49 +08:00
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
|
GenerateName: "ur-",
|
2022-05-11 08:14:30 +02:00
|
|
|
Namespace: config.KyvernoNamespace(),
|
2022-05-23 17:57:19 +02:00
|
|
|
Labels: cp.GetLabels(),
|
2022-04-29 19:05:49 +08:00
|
|
|
},
|
2022-05-17 13:12:43 +02:00
|
|
|
Spec: kyvernov1beta1.UpdateRequestSpec{
|
|
|
|
|
Type: kyvernov1beta1.Generate,
|
2022-05-23 17:57:19 +02:00
|
|
|
Policy: cp.Spec.Policy,
|
|
|
|
|
Resource: cp.Spec.Resource,
|
2022-05-17 13:12:43 +02:00
|
|
|
Context: kyvernov1beta1.UpdateRequestSpecContext{
|
|
|
|
|
UserRequestInfo: kyvernov1beta1.RequestInfo{
|
2022-05-23 17:57:19 +02:00
|
|
|
Roles: cp.Spec.Context.UserRequestInfo.Roles,
|
|
|
|
|
ClusterRoles: cp.Spec.Context.UserRequestInfo.ClusterRoles,
|
|
|
|
|
AdmissionUserInfo: cp.Spec.Context.UserRequestInfo.AdmissionUserInfo,
|
2022-04-29 19:05:49 +08:00
|
|
|
},
|
2022-05-17 13:12:43 +02:00
|
|
|
AdmissionRequestInfo: kyvernov1beta1.AdmissionRequestInfoObject{
|
2022-05-29 09:27:14 +02:00
|
|
|
AdmissionRequest: request,
|
2022-05-23 17:57:19 +02:00
|
|
|
Operation: cp.Spec.Context.AdmissionRequestInfo.Operation,
|
2022-04-29 19:05:49 +08:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-19 18:06:56 +02:00
|
|
|
_, err := pclient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).Create(context.TODO(), ur, metav1.CreateOptions{})
|
2022-04-29 19:05:49 +08:00
|
|
|
if err != nil {
|
|
|
|
|
logger.Info("failed to create UpdateRequest", "GR namespace", gr.GetNamespace(), "GR name", gr.GetName(), "err", err.Error())
|
|
|
|
|
errors = append(errors, err)
|
|
|
|
|
continue
|
|
|
|
|
} else {
|
|
|
|
|
logger.Info("successfully created UpdateRequest", "GR namespace", gr.GetNamespace(), "GR name", gr.GetName())
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-11 08:14:30 +02:00
|
|
|
if err := pclient.KyvernoV1().GenerateRequests(config.KyvernoNamespace()).Delete(context.TODO(), gr.GetName(), metav1.DeleteOptions{}); err != nil {
|
2022-04-29 19:05:49 +08:00
|
|
|
errors = append(errors, err)
|
|
|
|
|
logger.Error(err, "failed to delete GR")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-02 07:54:02 -07:00
|
|
|
err = multierr.Combine(errors...)
|
2022-04-29 19:05:49 +08:00
|
|
|
return err
|
|
|
|
|
}
|
