mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity
kyverno/pkg/webhookconfig/common.go

217 lines
6.4 KiB
Go
Raw Normal View History

create policy mutating webhook config resouce + refactoring
2019-08-27 14:52:56 -07:00
package webhookconfig
import (
"io/ioutil"
fix Potential file inclusion via variable (#2523) Signed-off-by: slayer321 <sachin.maurya7666@gmail.com>
2021-10-13 10:48:45 -07:00
"path/filepath"
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 00:15:09 -07:00
"reflect"
create policy mutating webhook config resouce + refactoring
2019-08-27 14:52:56 -07:00
update nirmata/kyverno to kyverno/kyverno
2020-10-07 11:12:31 -07:00
"github.com/kyverno/kyverno/pkg/config"
Add certificate renewer in webhook registration controller (#1692) * load TLS pair from existing secret, if applicable Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove Kyverno managed secrets during shutdown Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add certificate renewer; - re-structure certificate package Signed-off-by: Shuting Zhao <shutting06@gmail.com> * commit un-saved file Signed-off-by: Shuting Zhao <shutting06@gmail.com> * eliminate throttling requests while registering webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * disable webhook monitor (in old pod) during rolling update Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove webhook cleanup logic from init container Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update PR template Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update link to the website repo Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update repo name Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-03-16 11:31:04 -07:00
"github.com/kyverno/kyverno/pkg/tls"
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 00:15:09 -07:00
admregapi "k8s.io/api/admissionregistration/v1"
Reduce throttling requests (GET) (#1522) * add resource lister to even handler Signed-off-by: Shuting Zhao <shutting06@gmail.com> * use lister to get Kyverno deployment Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add lister for webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-02-05 09:58:10 -08:00
apps "k8s.io/api/apps/v1"
adding ownerRef with namespace (#2263) Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
2021-08-14 05:37:40 +05:30
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Add certificate renewer in webhook registration controller (#1692) * load TLS pair from existing secret, if applicable Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove Kyverno managed secrets during shutdown Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add certificate renewer; - re-structure certificate package Signed-off-by: Shuting Zhao <shutting06@gmail.com> * commit un-saved file Signed-off-by: Shuting Zhao <shutting06@gmail.com> * eliminate throttling requests while registering webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * disable webhook monitor (in old pod) during rolling update Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove webhook cleanup logic from init container Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update PR template Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update link to the website repo Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update repo name Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-03-16 11:31:04 -07:00
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
Reduce throttling requests (GET) (#1522) * add resource lister to even handler Signed-off-by: Shuting Zhao <shutting06@gmail.com> * use lister to get Kyverno deployment Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add lister for webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-02-05 09:58:10 -08:00
"k8s.io/apimachinery/pkg/runtime"
create policy mutating webhook config resouce + refactoring
2019-08-27 14:52:56 -07:00
rest "k8s.io/client-go/rest"
)
update webhook registration and monitor (#1318) * update webhook registration and monitor * update log * fix test * improve logs * improve logs * format changes * decrease interval for webhook config checks
2020-11-26 16:07:06 -08:00
func (wrc *Register) readCaData() []byte {
Add certificate renewer in webhook registration controller (#1692) * load TLS pair from existing secret, if applicable Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove Kyverno managed secrets during shutdown Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add certificate renewer; - re-structure certificate package Signed-off-by: Shuting Zhao <shutting06@gmail.com> * commit un-saved file Signed-off-by: Shuting Zhao <shutting06@gmail.com> * eliminate throttling requests while registering webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * disable webhook monitor (in old pod) during rolling update Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove webhook cleanup logic from init container Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update PR template Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update link to the website repo Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update repo name Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-03-16 11:31:04 -07:00
logger := wrc.log.WithName("readCaData")
create policy mutating webhook config resouce + refactoring
2019-08-27 14:52:56 -07:00
var caData []byte
Add certificate renewer in webhook registration controller (#1692) * load TLS pair from existing secret, if applicable Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove Kyverno managed secrets during shutdown Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add certificate renewer; - re-structure certificate package Signed-off-by: Shuting Zhao <shutting06@gmail.com> * commit un-saved file Signed-off-by: Shuting Zhao <shutting06@gmail.com> * eliminate throttling requests while registering webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * disable webhook monitor (in old pod) during rolling update Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove webhook cleanup logic from init container Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update PR template Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update link to the website repo Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update repo name Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-03-16 11:31:04 -07:00
var err error
create policy mutating webhook config resouce + refactoring
2019-08-27 14:52:56 -07:00
// Check if ca is defined in the secret tls-ca
// assume the key and signed cert have been defined in secret tls.kyverno
Add certificate renewer in webhook registration controller (#1692) * load TLS pair from existing secret, if applicable Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove Kyverno managed secrets during shutdown Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add certificate renewer; - re-structure certificate package Signed-off-by: Shuting Zhao <shutting06@gmail.com> * commit un-saved file Signed-off-by: Shuting Zhao <shutting06@gmail.com> * eliminate throttling requests while registering webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * disable webhook monitor (in old pod) during rolling update Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove webhook cleanup logic from init container Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update PR template Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update link to the website repo Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update repo name Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-03-16 11:31:04 -07:00
if caData, err = tls.ReadRootCASecret(wrc.clientConfig, wrc.client); err == nil {
refactor logging
2020-03-17 16:25:34 -07:00
logger.V(4).Info("read CA from secret")
create policy mutating webhook config resouce + refactoring
2019-08-27 14:52:56 -07:00
return caData
}
Add certificate renewer in webhook registration controller (#1692) * load TLS pair from existing secret, if applicable Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove Kyverno managed secrets during shutdown Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add certificate renewer; - re-structure certificate package Signed-off-by: Shuting Zhao <shutting06@gmail.com> * commit un-saved file Signed-off-by: Shuting Zhao <shutting06@gmail.com> * eliminate throttling requests while registering webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * disable webhook monitor (in old pod) during rolling update Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove webhook cleanup logic from init container Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update PR template Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update link to the website repo Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update repo name Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-03-16 11:31:04 -07:00
logger.V(4).Info("failed to read CA from secret, reading from kubeconfig", "reason", err.Error())
create policy mutating webhook config resouce + refactoring
2019-08-27 14:52:56 -07:00
// load the CA from kubeconfig
if caData = extractCA(wrc.clientConfig); len(caData) != 0 {
refactor logging
2020-03-17 16:25:34 -07:00
logger.V(4).Info("read CA from kubeconfig")
create policy mutating webhook config resouce + refactoring
2019-08-27 14:52:56 -07:00
return caData
}
Add certificate renewer in webhook registration controller (#1692) * load TLS pair from existing secret, if applicable Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove Kyverno managed secrets during shutdown Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add certificate renewer; - re-structure certificate package Signed-off-by: Shuting Zhao <shutting06@gmail.com> * commit un-saved file Signed-off-by: Shuting Zhao <shutting06@gmail.com> * eliminate throttling requests while registering webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * disable webhook monitor (in old pod) during rolling update Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove webhook cleanup logic from init container Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update PR template Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update link to the website repo Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update repo name Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-03-16 11:31:04 -07:00
refactor logging
2020-03-17 16:25:34 -07:00
logger.V(4).Info("failed to read CA from kubeconfig")
create policy mutating webhook config resouce + refactoring
2019-08-27 14:52:56 -07:00
return nil
}
// ExtractCA used for extraction CA from config
func extractCA(config *rest.Config) (result []byte) {
fileName := config.TLSClientConfig.CAFile
if fileName != "" {
fix Potential file inclusion via variable (#2523) Signed-off-by: slayer321 <sachin.maurya7666@gmail.com>
2021-10-13 10:48:45 -07:00
fileName = filepath.Clean(fileName)
create policy mutating webhook config resouce + refactoring
2019-08-27 14:52:56 -07:00
result, err := ioutil.ReadFile(fileName)
if err != nil {
return nil
}
return result
}
return config.TLSClientConfig.CAData
}
adding ownerRef with namespace (#2263) Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
2021-08-14 05:37:40 +05:30
func (wrc *Register) constructOwner() v1.OwnerReference {
logger := wrc.log
kubeNamespace, err := wrc.GetKubePolicyNamespace()
if err != nil {
logger.Error(err, "failed to construct OwnerReference")
return v1.OwnerReference{}
}
return v1.OwnerReference{
APIVersion: config.NamespaceAPIVersion,
Kind: config.NamespaceKind,
Name: config.KyvernoNamespace,
UID: kubeNamespace.GetUID(),
}
}
func (wrc *Register) GetKubePolicyNamespace() (*unstructured.Unstructured, error) {
kubeNamespace, err := wrc.client.GetResource(config.NamespaceAPIVersion, config.NamespaceKind, "", config.KyvernoNamespace)
if err != nil {
return nil, err
}
return kubeNamespace, nil
}
feat: HA (#1931) * Fix Dev setup * webhook monitor - start webhook monitor in main process Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add leaderelection Signed-off-by: Jim Bugwadia <jim@nirmata.com> * - add isLeader; - update to use configmap lock Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add initialization method - add methods to get attributes Signed-off-by: Shuting Zhao <shutting06@gmail.com> * address comments Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove newContext in runLeaderElection Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add leader election to GenerateController Signed-off-by: Jim Bugwadia <jim@nirmata.com> * skip processing for non-leaders Signed-off-by: Jim Bugwadia <jim@nirmata.com> * skip processing for non-leaders Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add leader election to generate cleanup controller Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Gracefully drain request * HA - Webhook Register / Webhook Monitor / Certificate Renewer (#1920) * enable leader election for webhook register Signed-off-by: Shuting Zhao <shutting06@gmail.com> * extract certManager to its own process Signed-off-by: Shuting Zhao <shutting06@gmail.com> * leader election for cert manager Signed-off-by: Shuting Zhao <shutting06@gmail.com> * certManager - init certs by the leader Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add leader election to webhook monitor Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update log message Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add leader election to policy controller Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add leader election to policy report controller Signed-off-by: Shuting Zhao <shutting06@gmail.com> * rebuild leader election config Signed-off-by: Shuting Zhao <shutting06@gmail.com> * start informers in leaderelection Signed-off-by: Shuting Zhao <shutting06@gmail.com> * start policy informers in main Signed-off-by: Shuting Zhao <shutting06@gmail.com> * enable leader election in main Signed-off-by: Shuting Zhao <shutting06@gmail.com> * move eventHandler to the leader election start method Signed-off-by: Shuting Zhao <shutting06@gmail.com> * address reviewdog comments Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add clusterrole leaderelection Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fixed generate flow (#1936) Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * - init separate kubeclient for leaderelection - fix webhook monitor Signed-off-by: Shuting Zhao <shutting06@gmail.com> * address reviewdog comments Signed-off-by: Shuting Zhao <shutting06@gmail.com> * cleanup Kyverno managed resources on stopLeading Signed-off-by: Shuting Zhao <shutting06@gmail.com> * tag v1.4.0-beta1 Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix cleanup process on Kyverno stops Signed-off-by: Shuting Zhao <shutting06@gmail.com> * bump kind to 0.11.0, k8s v1.21 (#1980) Co-authored-by: vyankatesh <vyankatesh@neualto.com> Co-authored-by: vyankatesh <vyankateshkd@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Pooja Singh <36136335+NoSkillGirl@users.noreply.github.com>
2021-06-08 12:37:19 -07:00
// GetKubePolicyDeployment gets Kyverno deployment using the resource cache
// it does not initialize any client call
Add certificate renewer in webhook registration controller (#1692) * load TLS pair from existing secret, if applicable Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove Kyverno managed secrets during shutdown Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add certificate renewer; - re-structure certificate package Signed-off-by: Shuting Zhao <shutting06@gmail.com> * commit un-saved file Signed-off-by: Shuting Zhao <shutting06@gmail.com> * eliminate throttling requests while registering webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * disable webhook monitor (in old pod) during rolling update Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove webhook cleanup logic from init container Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update PR template Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update link to the website repo Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update repo name Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-03-16 11:31:04 -07:00
func (wrc *Register) GetKubePolicyDeployment() (*apps.Deployment, *unstructured.Unstructured, error) {
Reduce throttling requests (GET) (#1522) * add resource lister to even handler Signed-off-by: Shuting Zhao <shutting06@gmail.com> * use lister to get Kyverno deployment Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add lister for webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-02-05 09:58:10 -08:00
lister, _ := wrc.resCache.GetGVRCache("Deployment")
kubePolicyDeployment, err := lister.NamespacedLister(config.KyvernoNamespace).Get(config.KyvernoDeploymentName)
if err != nil {
Add certificate renewer in webhook registration controller (#1692) * load TLS pair from existing secret, if applicable Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove Kyverno managed secrets during shutdown Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add certificate renewer; - re-structure certificate package Signed-off-by: Shuting Zhao <shutting06@gmail.com> * commit un-saved file Signed-off-by: Shuting Zhao <shutting06@gmail.com> * eliminate throttling requests while registering webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * disable webhook monitor (in old pod) during rolling update Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove webhook cleanup logic from init container Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update PR template Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update link to the website repo Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update repo name Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-03-16 11:31:04 -07:00
return nil, nil, err
Reduce throttling requests (GET) (#1522) * add resource lister to even handler Signed-off-by: Shuting Zhao <shutting06@gmail.com> * use lister to get Kyverno deployment Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add lister for webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-02-05 09:58:10 -08:00
}
deploy := apps.Deployment{}
if err = runtime.DefaultUnstructuredConverter.FromUnstructured(kubePolicyDeployment.UnstructuredContent(), &deploy); err != nil {
Add certificate renewer in webhook registration controller (#1692) * load TLS pair from existing secret, if applicable Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove Kyverno managed secrets during shutdown Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add certificate renewer; - re-structure certificate package Signed-off-by: Shuting Zhao <shutting06@gmail.com> * commit un-saved file Signed-off-by: Shuting Zhao <shutting06@gmail.com> * eliminate throttling requests while registering webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * disable webhook monitor (in old pod) during rolling update Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove webhook cleanup logic from init container Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update PR template Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update link to the website repo Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update repo name Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-03-16 11:31:04 -07:00
return nil, kubePolicyDeployment, err
Reduce throttling requests (GET) (#1522) * add resource lister to even handler Signed-off-by: Shuting Zhao <shutting06@gmail.com> * use lister to get Kyverno deployment Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add lister for webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-02-05 09:58:10 -08:00
}
Add certificate renewer in webhook registration controller (#1692) * load TLS pair from existing secret, if applicable Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove Kyverno managed secrets during shutdown Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add certificate renewer; - re-structure certificate package Signed-off-by: Shuting Zhao <shutting06@gmail.com> * commit un-saved file Signed-off-by: Shuting Zhao <shutting06@gmail.com> * eliminate throttling requests while registering webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * disable webhook monitor (in old pod) during rolling update Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove webhook cleanup logic from init container Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update PR template Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update link to the website repo Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update repo name Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-03-16 11:31:04 -07:00
return &deploy, kubePolicyDeployment, nil
Reduce throttling requests (GET) (#1522) * add resource lister to even handler Signed-off-by: Shuting Zhao <shutting06@gmail.com> * use lister to get Kyverno deployment Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add lister for webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-02-05 09:58:10 -08:00
}
logs & access
2020-03-17 11:05:20 -07:00
// debug mutating webhook
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 00:15:09 -07:00
func generateDebugMutatingWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, rule admregapi.Rule, operationTypes []admregapi.OperationType, failurePolicy admregapi.FailurePolicyType) admregapi.MutatingWebhook {
528_add_webhook_defaults
2019-12-04 17:28:39 -08:00
sideEffect := admregapi.SideEffectClassNoneOnDryRun
983 kustomize support (#1026) * prototype - strategic merge patch * add end to end test * add engine strategic merge patch support * set webhook reinvocationPolicy to IfNeeded * refactor engine mutate code * support JMESPath in strategic merge patch * implement patchesJson6902 * update doc * resolve pr comments
2020-08-05 09:11:23 -07:00
reinvocationPolicy := admregapi.NeverReinvocationPolicy
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 00:15:09 -07:00
w := admregapi.MutatingWebhook{
983 kustomize support (#1026) * prototype - strategic merge patch * add end to end test * add engine strategic merge patch support * set webhook reinvocationPolicy to IfNeeded * refactor engine mutate code * support JMESPath in strategic merge patch * implement patchesJson6902 * update doc * resolve pr comments
2020-08-05 09:11:23 -07:00
ReinvocationPolicy: &reinvocationPolicy,
Name: name,
create policy mutating webhook config resouce + refactoring
2019-08-27 14:52:56 -07:00
ClientConfig: admregapi.WebhookClientConfig{
URL: &url,
CABundle: caData,
},
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 00:15:09 -07:00
SideEffects: &sideEffect,
528_add_webhook_defaults
2019-12-04 17:28:39 -08:00
AdmissionReviewVersions: []string{"v1beta1"},
TimeoutSeconds: &timeoutSeconds,
- set failurepolicy of webhookconfiguraitons to ignore; - disable auto-gen on policy disabllow_default_namespace
2020-01-15 18:01:50 -08:00
FailurePolicy: &failurePolicy,
create policy mutating webhook config resouce + refactoring
2019-08-27 14:52:56 -07:00
}
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 00:15:09 -07:00
if !reflect.DeepEqual(rule, admregapi.Rule{}) {
w.Rules = []admregapi.RuleWithOperations{
{
Operations: operationTypes,
Rule: rule,
},
}
}
return w
create policy mutating webhook config resouce + refactoring
2019-08-27 14:52:56 -07:00
}
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 00:15:09 -07:00
func generateDebugValidatingWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, rule admregapi.Rule, operationTypes []admregapi.OperationType, failurePolicy admregapi.FailurePolicyType) admregapi.ValidatingWebhook {
logs & access
2020-03-17 11:05:20 -07:00
sideEffect := admregapi.SideEffectClassNoneOnDryRun
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 00:15:09 -07:00
w := admregapi.ValidatingWebhook{
logs & access
2020-03-17 11:05:20 -07:00
Name: name,
ClientConfig: admregapi.WebhookClientConfig{
URL: &url,
CABundle: caData,
},
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 00:15:09 -07:00
SideEffects: &sideEffect,
logs & access
2020-03-17 11:05:20 -07:00
AdmissionReviewVersions: []string{"v1beta1"},
TimeoutSeconds: &timeoutSeconds,
FailurePolicy: &failurePolicy,
}
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 00:15:09 -07:00
if !reflect.DeepEqual(rule, admregapi.Rule{}) {
w.Rules = []admregapi.RuleWithOperations{
{
Operations: operationTypes,
Rule: rule,
},
}
}
return w
logs & access
2020-03-17 11:05:20 -07:00
}
// mutating webhook
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 00:15:09 -07:00
func generateMutatingWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, rule admregapi.Rule, operationTypes []admregapi.OperationType, failurePolicy admregapi.FailurePolicyType) admregapi.MutatingWebhook {
logs & access
2020-03-17 11:05:20 -07:00
sideEffect := admregapi.SideEffectClassNoneOnDryRun
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 00:15:09 -07:00
reinvocationPolicy := admregapi.IfNeededReinvocationPolicy
983 kustomize support (#1026) * prototype - strategic merge patch * add end to end test * add engine strategic merge patch support * set webhook reinvocationPolicy to IfNeeded * refactor engine mutate code * support JMESPath in strategic merge patch * implement patchesJson6902 * update doc * resolve pr comments
2020-08-05 09:11:23 -07:00
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 00:15:09 -07:00
w := admregapi.MutatingWebhook{
983 kustomize support (#1026) * prototype - strategic merge patch * add end to end test * add engine strategic merge patch support * set webhook reinvocationPolicy to IfNeeded * refactor engine mutate code * support JMESPath in strategic merge patch * implement patchesJson6902 * update doc * resolve pr comments
2020-08-05 09:11:23 -07:00
ReinvocationPolicy: &reinvocationPolicy,
Name: name,
logs & access
2020-03-17 11:05:20 -07:00
ClientConfig: admregapi.WebhookClientConfig{
Service: &admregapi.ServiceReference{
update webhook registration and monitor (#1318) * update webhook registration and monitor * update log * fix test * improve logs * improve logs * format changes * decrease interval for webhook config checks
2020-11-26 16:07:06 -08:00
Namespace: config.KyvernoNamespace,
Name: config.KyvernoServiceName,
logs & access
2020-03-17 11:05:20 -07:00
Path: &servicePath,
},
CABundle: caData,
},
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 00:15:09 -07:00
SideEffects: &sideEffect,
logs & access
2020-03-17 11:05:20 -07:00
AdmissionReviewVersions: []string{"v1beta1"},
TimeoutSeconds: &timeoutSeconds,
FailurePolicy: &failurePolicy,
}
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 00:15:09 -07:00
if !reflect.DeepEqual(rule, admregapi.Rule{}) {
w.Rules = []admregapi.RuleWithOperations{
{
Operations: operationTypes,
Rule: rule,
},
}
}
return w
logs & access
2020-03-17 11:05:20 -07:00
}
// validating webhook
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 00:15:09 -07:00
func generateValidatingWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, rule admregapi.Rule, operationTypes []admregapi.OperationType, failurePolicy admregapi.FailurePolicyType) admregapi.ValidatingWebhook {
528_add_webhook_defaults
2019-12-04 17:28:39 -08:00
sideEffect := admregapi.SideEffectClassNoneOnDryRun
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 00:15:09 -07:00
w := admregapi.ValidatingWebhook{
create policy mutating webhook config resouce + refactoring
2019-08-27 14:52:56 -07:00
Name: name,
ClientConfig: admregapi.WebhookClientConfig{
Service: &admregapi.ServiceReference{
update webhook registration and monitor (#1318) * update webhook registration and monitor * update log * fix test * improve logs * improve logs * format changes * decrease interval for webhook config checks
2020-11-26 16:07:06 -08:00
Namespace: config.KyvernoNamespace,
Name: config.KyvernoServiceName,
create policy mutating webhook config resouce + refactoring
2019-08-27 14:52:56 -07:00
Path: &servicePath,
},
CABundle: caData,
},
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 00:15:09 -07:00
SideEffects: &sideEffect,
528_add_webhook_defaults
2019-12-04 17:28:39 -08:00
AdmissionReviewVersions: []string{"v1beta1"},
TimeoutSeconds: &timeoutSeconds,
- set failurepolicy of webhookconfiguraitons to ignore; - disable auto-gen on policy disabllow_default_namespace
2020-01-15 18:01:50 -08:00
FailurePolicy: &failurePolicy,
create policy mutating webhook config resouce + refactoring
2019-08-27 14:52:56 -07:00
}
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 00:15:09 -07:00
if !reflect.DeepEqual(rule, admregapi.Rule{}) {
w.Rules = []admregapi.RuleWithOperations{
{
Operations: operationTypes,
Rule: rule,
},
}
}
return w
create policy mutating webhook config resouce + refactoring
2019-08-27 14:52:56 -07:00
}
Copy permalink