mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 07:26:55 +00:00
Code Activity

refactor: switch to admission v1 (#3526)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2022-04-06 22:43:07 +02:00 committed by GitHub
parent c8275b7c00
commit 06c2b2bb79
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
21 changed files with 108 additions and 109 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
api/kyverno/v1/generaterequest_types.go
View file

@ -1,7 +1,7 @@
package v1
import (
"k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
authenticationv1 "k8s.io/api/authentication/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
@ -55,7 +55,7 @@ type AdmissionRequestInfoObject struct {
// +optional
AdmissionRequest string `json:"admissionRequest,omitempty" yaml:"admissionRequest,omitempty"`
// +optional
Operation v1beta1.Operation `json:"operation,omitempty" yaml:"operation,omitempty"`
Operation admissionv1.Operation `json:"operation,omitempty" yaml:"operation,omitempty"`
}
// RequestInfo contains permission info carried in an admission request.

4
docs/crd/v1/index.html
View file

@ -110,8 +110,8 @@ string
<td>
<code>operation</code></br>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#operation-v1beta1-admission">
Kubernetes admission/v1beta1.Operation
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#operation-v1-admission">
Kubernetes admission/v1.Operation
</a>
</em>
</td>

6
pkg/engine/context/context.go
View file

@ -10,7 +10,7 @@ import (
jsonpatch "github.com/evanphx/json-patch/v5"
"github.com/go-logr/logr"
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
"k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"sigs.k8s.io/controller-runtime/pkg/log"
)
@ -19,7 +19,7 @@ import (
type Interface interface {
// AddRequest marshals and adds the admission request to the context
AddRequest(request *v1beta1.AdmissionRequest) error
AddRequest(request *admissionv1.AdmissionRequest) error
// AddJSON merges the json with context
AddJSON(dataRaw []byte) error
@ -97,7 +97,7 @@ func (ctx *Context) AddJSONObject(jsonData interface{}) error {
}
// AddRequest adds an admission request to context
func (ctx *Context) AddRequest(request *v1beta1.AdmissionRequest) error {
func (ctx *Context) AddRequest(request *admissionv1.AdmissionRequest) error {
modifiedResource := struct {
Request interface{} `json:"request"`
}{

10
pkg/engine/context/evaluate_test.go
View file

@ -4,7 +4,7 @@ import (
"testing"
"github.com/stretchr/testify/assert"
"k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
)
func TestHasChanged(t *testing.T) {
@ -27,7 +27,7 @@ func TestHasChanged(t *testing.T) {
}
func TestRequestNotInitialize(t *testing.T) {
request := &v1beta1.AdmissionRequest{}
request := &admissionv1.AdmissionRequest{}
ctx := NewContext()
ctx.AddRequest(request)
@ -36,7 +36,7 @@ func TestRequestNotInitialize(t *testing.T) {
}
func TestMissingOldObject(t *testing.T) {
request := &v1beta1.AdmissionRequest{}
request := &admissionv1.AdmissionRequest{}
ctx := NewContext()
ctx.AddRequest(request)
request.Object.Raw = []byte(`{"a": {"b": 1, "c": 2}, "d": 3}`)
@ -46,7 +46,7 @@ func TestMissingOldObject(t *testing.T) {
}
func TestMissingObject(t *testing.T) {
request := &v1beta1.AdmissionRequest{}
request := &admissionv1.AdmissionRequest{}
ctx := NewContext()
ctx.AddRequest(request)
request.OldObject.Raw = []byte(`{"a": {"b": 1, "c": 2}, "d": 3}`)
@ -56,7 +56,7 @@ func TestMissingObject(t *testing.T) {
}
func createTestContext(obj, oldObj string) *Context {
request := &v1beta1.AdmissionRequest{}
request := &admissionv1.AdmissionRequest{}
request.Operation = "UPDATE"
request.Object.Raw = []byte(obj)
request.OldObject.Raw = []byte(oldObj)

4
pkg/engine/validation_test.go
View file

@ -13,7 +13,7 @@ import (
"github.com/kyverno/kyverno/pkg/kyverno/store"
utils2 "github.com/kyverno/kyverno/pkg/utils"
"gotest.tools/assert"
"k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
)
func TestGetAnchorsFromMap_ThereAreAnchors(t *testing.T) {
@ -2104,7 +2104,7 @@ func executeTest(t *testing.T, err error, test testCase) {
t.Fatal(err)
}
var request *v1beta1.AdmissionRequest
var request *admissionv1.AdmissionRequest
err = json.Unmarshal(test.request, &request)
if err != nil {
t.Fatal(err)

6
pkg/generate/generate.go
View file

@ -23,7 +23,7 @@ import (
"github.com/kyverno/kyverno/pkg/engine/utils"
"github.com/kyverno/kyverno/pkg/engine/variables"
kyvernoutils "github.com/kyverno/kyverno/pkg/utils"
"k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@ -146,13 +146,13 @@ func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyvern
}
requestString := gr.Spec.Context.AdmissionRequestInfo.AdmissionRequest
var request v1beta1.AdmissionRequest
var request admissionv1.AdmissionRequest
err = json.Unmarshal([]byte(requestString), &request)
if err != nil {
logger.Error(err, "error parsing the request string")
}
if gr.Spec.Context.AdmissionRequestInfo.Operation == v1beta1.Update {
if gr.Spec.Context.AdmissionRequestInfo.Operation == admissionv1.Update {
request.Operation = gr.Spec.Context.AdmissionRequestInfo.Operation
}

11
pkg/generate/generate_controller.go
View file

@ -4,11 +4,8 @@ import (
"reflect"
"time"
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
"k8s.io/api/admission/v1beta1"
"k8s.io/client-go/kubernetes"
"github.com/go-logr/logr"
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/autogen"
kyvernoclient "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
@ -16,12 +13,14 @@ import (
"github.com/kyverno/kyverno/pkg/config"
dclient "github.com/kyverno/kyverno/pkg/dclient"
"github.com/kyverno/kyverno/pkg/event"
admissionv1 "k8s.io/api/admission/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/client-go/dynamic/dynamicinformer"
"k8s.io/client-go/informers"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/util/workqueue"
)
@ -237,7 +236,7 @@ func (c *Controller) updateGenericResource(old, cur interface{}) {
// re-evaluate the GR as the resource was updated
for _, gr := range grs {
gr.Spec.Context.AdmissionRequestInfo.Operation = v1beta1.Update
gr.Spec.Context.AdmissionRequestInfo.Operation = admissionv1.Update
c.enqueueGenerateRequest(gr)
}
}
@ -294,7 +293,7 @@ func (c *Controller) updatePolicy(old, cur interface{}) {
// re-evaluate the GR as the policy was updated
for _, gr := range grs {
gr.Spec.Context.AdmissionRequestInfo.Operation = v1beta1.Update
gr.Spec.Context.AdmissionRequestInfo.Operation = admissionv1.Update
c.enqueueGenerateRequest(gr)
}
}

8
pkg/policy/validate.go
View file

@ -22,7 +22,7 @@ import (
"github.com/kyverno/kyverno/pkg/utils"
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
"github.com/pkg/errors"
v1beta1 "k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
@ -78,7 +78,7 @@ func validateJSONPatchPathForForwardSlash(patch string) error {
}
// Validate checks the policy and rules declarations for required configurations
func Validate(policy kyverno.PolicyInterface, client *dclient.Client, mock bool, openAPIController *openapi.Controller) (*v1beta1.AdmissionResponse, error) {
func Validate(policy kyverno.PolicyInterface, client *dclient.Client, mock bool, openAPIController *openapi.Controller) (*admissionv1.AdmissionResponse, error) {
namespaced := policy.IsNamespaced()
spec := policy.GetSpec()
background := spec.BackgroundProcessingEnabled()
@ -122,7 +122,7 @@ func Validate(policy kyverno.PolicyInterface, client *dclient.Client, mock bool,
if jsonPatchOnPod(rule) {
log.Log.V(1).Info("Pods managed by workload controllers cannot be mutated using policies. Use the autogen feature or write policies that match Pod controllers.")
return &v1beta1.AdmissionResponse{
return &admissionv1.AdmissionResponse{
Allowed: true,
Warnings: []string{"Pods managed by workload controllers cannot be mutated using policies. Use the autogen feature or write policies that match Pod controllers."},
}, nil
@ -237,7 +237,7 @@ func Validate(policy kyverno.PolicyInterface, client *dclient.Client, mock bool,
podOnlyMap["Pod"] = true
if reflect.DeepEqual(common.GetKindsFromRule(rule), podOnlyMap) && podControllerAutoGenExclusion(policy) {
log.Log.V(4).Info("Pod controllers excluded from autogen require adding of preconditions to also exclude the desired controller(s).")
return &v1beta1.AdmissionResponse{
return &admissionv1.AdmissionResponse{
Allowed: true,
Warnings: []string{"Pod controllers excluded from autogen require adding of preconditions to also exclude the desired controller(s)."},
}, nil

6
pkg/userinfo/roleRef.go
View file

@ -6,7 +6,7 @@ import (
"github.com/kyverno/kyverno/pkg/config"
"github.com/kyverno/kyverno/pkg/utils"
v1beta1 "k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
authenticationv1 "k8s.io/api/authentication/v1"
rbacv1 "k8s.io/api/rbac/v1"
labels "k8s.io/apimachinery/pkg/labels"
@ -31,7 +31,7 @@ type allRolesStruct struct {
var allRoles []allRolesStruct
//GetRoleRef gets the list of roles and cluster roles for the incoming api-request
func GetRoleRef(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, request *v1beta1.AdmissionRequest, dynamicConfig config.Interface) (roles []string, clusterRoles []string, err error) {
func GetRoleRef(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, request *admissionv1.AdmissionRequest, dynamicConfig config.Interface) (roles []string, clusterRoles []string, err error) {
keys := append(request.UserInfo.Groups, request.UserInfo.Username)
if utils.SliceContains(keys, dynamicConfig.GetExcludeGroupRole()...) {
return
@ -139,7 +139,7 @@ func matchUserOrGroup(subject rbacv1.Subject, userInfo authenticationv1.UserInfo
}
//IsRoleAuthorize is role authorize or not
func IsRoleAuthorize(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, rLister rbaclister.RoleLister, crLister rbaclister.ClusterRoleLister, request *v1beta1.AdmissionRequest, dynamicConfig config.Interface) (bool, error) {
func IsRoleAuthorize(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, rLister rbaclister.RoleLister, crLister rbaclister.ClusterRoleLister, request *admissionv1.AdmissionRequest, dynamicConfig config.Interface) (bool, error) {
if strings.Contains(request.UserInfo.Username, SaPrefix) {
roles, clusterRoles, err := GetRoleRef(rbLister, crbLister, request, dynamicConfig)
if err != nil {

26
pkg/utils/admission/utils.go
View file

@ -5,7 +5,7 @@ import (
"fmt"
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
v1beta1 "k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
@ -26,30 +26,30 @@ func UnmarshalPolicy(kind string, raw []byte) (kyverno.PolicyInterface, error) {
return nil, fmt.Errorf("admission request does not contain a policy")
}
func GetPolicy(request *v1beta1.AdmissionRequest) (kyverno.PolicyInterface, error) {
func GetPolicy(request *admissionv1.AdmissionRequest) (kyverno.PolicyInterface, error) {
return UnmarshalPolicy(request.Kind.Kind, request.Object.Raw)
}
func GetPolicies(request *v1beta1.AdmissionRequest) (kyverno.PolicyInterface, kyverno.PolicyInterface, error) {
func GetPolicies(request *admissionv1.AdmissionRequest) (kyverno.PolicyInterface, kyverno.PolicyInterface, error) {
policy, err := UnmarshalPolicy(request.Kind.Kind, request.Object.Raw)
if err != nil {
return policy, nil, err
}
if request.Operation == v1beta1.Update {
if request.Operation == admissionv1.Update {
oldPolicy, err := UnmarshalPolicy(request.Kind.Kind, request.OldObject.Raw)
return policy, oldPolicy, err
}
return policy, nil, nil
}
func Response(allowed bool) *v1beta1.AdmissionResponse {
r := &v1beta1.AdmissionResponse{
func Response(allowed bool) *admissionv1.AdmissionResponse {
r := &admissionv1.AdmissionResponse{
Allowed: allowed,
}
return r
}
func ResponseWithMessage(allowed bool, msg string) *v1beta1.AdmissionResponse {
func ResponseWithMessage(allowed bool, msg string) *admissionv1.AdmissionResponse {
r := Response(allowed)
r.Result = &metav1.Status{
Message: msg,
@ -57,13 +57,13 @@ func ResponseWithMessage(allowed bool, msg string) *v1beta1.AdmissionResponse {
return r
}
func ResponseWithMessageAndPatch(allowed bool, msg string, patch []byte) *v1beta1.AdmissionResponse {
func ResponseWithMessageAndPatch(allowed bool, msg string, patch []byte) *admissionv1.AdmissionResponse {
r := ResponseWithMessage(allowed, msg)
r.Patch = patch
return r
}
func ResponseStatus(allowed bool, status, msg string) *v1beta1.AdmissionResponse {
func ResponseStatus(allowed bool, status, msg string) *admissionv1.AdmissionResponse {
r := Response(allowed)
r.Result = &metav1.Status{
Status: status,
@ -72,15 +72,15 @@ func ResponseStatus(allowed bool, status, msg string) *v1beta1.AdmissionResponse
return r
}
func ResponseFailure(allowed bool, msg string) *v1beta1.AdmissionResponse {
func ResponseFailure(allowed bool, msg string) *admissionv1.AdmissionResponse {
return ResponseStatus(allowed, metav1.StatusFailure, msg)
}
func ResponseSuccess(allowed bool, msg string) *v1beta1.AdmissionResponse {
func ResponseSuccess(allowed bool, msg string) *admissionv1.AdmissionResponse {
return ResponseStatus(allowed, metav1.StatusSuccess, msg)
}
func ResponseSuccessWithPatch(allowed bool, msg string, patch []byte) *v1beta1.AdmissionResponse {
func ResponseSuccessWithPatch(allowed bool, msg string, patch []byte) *admissionv1.AdmissionResponse {
r := ResponseSuccess(allowed, msg)
if len(patch) > 0 {
r.Patch = patch
@ -88,7 +88,7 @@ func ResponseSuccessWithPatch(allowed bool, msg string, patch []byte) *v1beta1.A
return r
}
func GetResourceName(request *v1beta1.AdmissionRequest) string {
func GetResourceName(request *admissionv1.AdmissionRequest) string {
resourceName := request.Kind.Kind + "/" + request.Name
if request.Namespace != "" {
resourceName = request.Namespace + "/" + resourceName

4
pkg/utils/util.go
View file

@ -14,7 +14,7 @@ import (
wildcard "github.com/kyverno/go-wildcard"
client "github.com/kyverno/kyverno/pkg/dclient"
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
"k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@ -137,7 +137,7 @@ func isCRDInstalled(discoveryClient client.IDiscovery, kind string) bool {
}
// ExtractResources extracts the new and old resource as unstructured
func ExtractResources(newRaw []byte, request *v1beta1.AdmissionRequest) (unstructured.Unstructured, unstructured.Unstructured, error) {
func ExtractResources(newRaw []byte, request *admissionv1.AdmissionRequest) (unstructured.Unstructured, unstructured.Unstructured, error) {
var emptyResource unstructured.Unstructured
var newResource unstructured.Unstructured
var oldResource unstructured.Unstructured

6
pkg/webhooks/common.go
View file

@ -13,7 +13,7 @@ import (
engineutils2 "github.com/kyverno/kyverno/pkg/utils/engine"
"github.com/pkg/errors"
yamlv2 "gopkg.in/yaml.v2"
"k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
)
// returns true -> if there is even one policy that blocks resource request
@ -70,7 +70,7 @@ func getErrorMsg(engineReponses []*response.EngineResponse) string {
}
// patchRequest applies patches to the request.Object and returns a new copy of the request
func patchRequest(patches []byte, request *v1beta1.AdmissionRequest, logger logr.Logger) *v1beta1.AdmissionRequest {
func patchRequest(patches []byte, request *admissionv1.AdmissionRequest, logger logr.Logger) *admissionv1.AdmissionRequest {
patchedResource := processResourceWithPatches(patches, request.Object.Raw, logger)
newRequest := request.DeepCopy()
newRequest.Object.Raw = patchedResource
@ -157,7 +157,7 @@ func excludeKyvernoResources(kind string) bool {
}
}
func newVariablesContext(request *v1beta1.AdmissionRequest, userRequestInfo *kyverno.RequestInfo) (*enginectx.Context, error) {
func newVariablesContext(request *admissionv1.AdmissionRequest, userRequestInfo *kyverno.RequestInfo) (*enginectx.Context, error) {
ctx := enginectx.NewContext()
if err := ctx.AddRequest(request); err != nil {
return nil, errors.Wrap(err, "failed to load incoming request in context")

14
pkg/webhooks/generate/generate.go
View file

@ -12,7 +12,7 @@ import (
kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
kyvernolister "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
"github.com/kyverno/kyverno/pkg/config"
"k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@ -21,13 +21,13 @@ import (
// GenerateRequests provides interface to manage generate requests
type GenerateRequests interface {
Apply(gr kyverno.GenerateRequestSpec, action v1beta1.Operation) error
Apply(gr kyverno.GenerateRequestSpec, action admissionv1.Operation) error
}
// GeneratorChannel ...
type GeneratorChannel struct {
spec kyverno.GenerateRequestSpec
action v1beta1.Operation
action admissionv1.Operation
}
// Generator defines the implementation to mange generate request resource
@ -54,7 +54,7 @@ func NewGenerator(client *kyvernoclient.Clientset, grInformer kyvernoinformer.Ge
}
// Apply creates generate request resource (blocking call if channel is full)
func (g *Generator) Apply(gr kyverno.GenerateRequestSpec, action v1beta1.Operation) error {
func (g *Generator) Apply(gr kyverno.GenerateRequestSpec, action admissionv1.Operation) error {
logger := g.log
logger.V(4).Info("creating Generate Request", "request", gr)
@ -91,7 +91,7 @@ func (g *Generator) processApply(m GeneratorChannel) {
}
}
func (g *Generator) generate(grSpec kyverno.GenerateRequestSpec, action v1beta1.Operation) error {
func (g *Generator) generate(grSpec kyverno.GenerateRequestSpec, action admissionv1.Operation) error {
// create/update a generate request
if err := retryApplyResource(g.client, grSpec, g.log, action, g.grLister); err != nil {
@ -104,7 +104,7 @@ func (g *Generator) generate(grSpec kyverno.GenerateRequestSpec, action v1beta1.
// use worker pattern to read and create the CR resource
func retryApplyResource(client *kyvernoclient.Clientset, grSpec kyverno.GenerateRequestSpec,
log logr.Logger, action v1beta1.Operation, grLister kyvernolister.GenerateRequestNamespaceLister) error {
log logr.Logger, action admissionv1.Operation, grLister kyvernolister.GenerateRequestNamespaceLister) error {
var i int
var err error
@ -122,7 +122,7 @@ func retryApplyResource(client *kyvernoclient.Clientset, grSpec kyverno.Generate
// Initial state "Pending"
// generate requests created in kyverno namespace
isExist := false
if action == v1beta1.Create || action == v1beta1.Update {
if action == admissionv1.Create || action == admissionv1.Update {
log.V(4).Info("querying all generate requests")
selector := labels.SelectorFromSet(labels.Set(map[string]string{
"generate.kyverno.io/policy-name": policyName,

28
pkg/webhooks/generation.go
View file

@ -25,13 +25,13 @@ import (
gen "github.com/kyverno/kyverno/pkg/generate"
kyvernoutils "github.com/kyverno/kyverno/pkg/utils"
"github.com/kyverno/kyverno/pkg/webhooks/generate"
"k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/labels"
)
func (ws *WebhookServer) applyGeneratePolicies(request *v1beta1.AdmissionRequest, policyContext *engine.PolicyContext, policies []kyverno.PolicyInterface, ts int64, logger logr.Logger) {
func (ws *WebhookServer) applyGeneratePolicies(request *admissionv1.AdmissionRequest, policyContext *engine.PolicyContext, policies []kyverno.PolicyInterface, ts int64, logger logr.Logger) {
admissionReviewCompletionLatencyChannel := make(chan int64, 1)
generateEngineResponsesSenderForAdmissionReviewDurationMetric := make(chan []*response.EngineResponse, 1)
generateEngineResponsesSenderForAdmissionRequestsCountMetric := make(chan []*response.EngineResponse, 1)
@ -43,7 +43,7 @@ func (ws *WebhookServer) applyGeneratePolicies(request *v1beta1.AdmissionRequest
//handleGenerate handles admission-requests for policies with generate rules
func (ws *WebhookServer) handleGenerate(
request *v1beta1.AdmissionRequest,
request *admissionv1.AdmissionRequest,
policies []kyverno.PolicyInterface,
ctx *context.Context,
userRequestInfo kyverno.RequestInfo,
@ -58,7 +58,7 @@ func (ws *WebhookServer) handleGenerate(
logger.V(6).Info("generate request")
var engineResponses []*response.EngineResponse
if (request.Operation == v1beta1.Create || request.Operation == v1beta1.Update) && len(policies) != 0 {
if (request.Operation == admissionv1.Create || request.Operation == admissionv1.Update) && len(policies) != 0 {
// convert RAW to unstructured
new, old, err := kyvernoutils.ExtractResources(nil, request)
if err != nil {
@ -113,7 +113,7 @@ func (ws *WebhookServer) handleGenerate(
}
}
if request.Operation == v1beta1.Update {
if request.Operation == admissionv1.Update {
ws.handleUpdatesForGenerateRules(request, policies)
}
@ -125,8 +125,8 @@ func (ws *WebhookServer) handleGenerate(
}
//handleUpdatesForGenerateRules handles admission-requests for update
func (ws *WebhookServer) handleUpdatesForGenerateRules(request *v1beta1.AdmissionRequest, policies []kyverno.PolicyInterface) {
if request.Operation != v1beta1.Update {
func (ws *WebhookServer) handleUpdatesForGenerateRules(request *admissionv1.AdmissionRequest, policies []kyverno.PolicyInterface) {
if request.Operation != admissionv1.Update {
return
}
@ -141,7 +141,7 @@ func (ws *WebhookServer) handleUpdatesForGenerateRules(request *v1beta1.Admissio
ws.handleUpdateGenerateSourceResource(resLabels, logger)
}
if resLabels["app.kubernetes.io/managed-by"] == "kyverno" && resLabels["policy.kyverno.io/synchronize"] == "enable" && request.Operation == v1beta1.Update {
if resLabels["app.kubernetes.io/managed-by"] == "kyverno" && resLabels["policy.kyverno.io/synchronize"] == "enable" && request.Operation == admissionv1.Update {
ws.handleUpdateGenerateTargetResource(request, policies, resLabels, logger)
}
}
@ -197,7 +197,7 @@ func (ws *WebhookServer) updateAnnotationInGR(gr *kyverno.GenerateRequest, logge
}
//handleUpdateGenerateTargetResource - handles update of target resource for generate policy
func (ws *WebhookServer) handleUpdateGenerateTargetResource(request *v1beta1.AdmissionRequest, policies []kyverno.PolicyInterface, resLabels map[string]string, logger logr.Logger) {
func (ws *WebhookServer) handleUpdateGenerateTargetResource(request *admissionv1.AdmissionRequest, policies []kyverno.PolicyInterface, resLabels map[string]string, logger logr.Logger) {
enqueueBool := false
newRes, err := enginutils.ConvertToUnstructured(request.Object.Raw)
if err != nil {
@ -260,7 +260,7 @@ func (ws *WebhookServer) handleUpdateGenerateTargetResource(request *v1beta1.Adm
func getGeneratedByResource(newRes *unstructured.Unstructured, resLabels map[string]string, client *client.Client, rule kyverno.Rule, logger logr.Logger) (kyverno.Rule, error) {
var apiVersion, kind, name, namespace string
sourceRequest := &v1beta1.AdmissionRequest{}
sourceRequest := &admissionv1.AdmissionRequest{}
kind = resLabels["kyverno.io/generated-by-kind"]
name = resLabels["kyverno.io/generated-by-name"]
if kind != "Namespace" {
@ -355,7 +355,7 @@ func stripNonPolicyFields(obj, newRes map[string]interface{}, logger logr.Logger
}
//HandleDelete handles admission-requests for delete
func (ws *WebhookServer) handleDelete(request *v1beta1.AdmissionRequest) {
func (ws *WebhookServer) handleDelete(request *admissionv1.AdmissionRequest) {
logger := ws.log.WithValues("action", "generation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation, "gvk", request.Kind.String())
resource, err := enginutils.ConvertToUnstructured(request.OldObject.Raw)
if err != nil {
@ -363,7 +363,7 @@ func (ws *WebhookServer) handleDelete(request *v1beta1.AdmissionRequest) {
}
resLabels := resource.GetLabels()
if resLabels["app.kubernetes.io/managed-by"] == "kyverno" && request.Operation == v1beta1.Delete {
if resLabels["app.kubernetes.io/managed-by"] == "kyverno" && request.Operation == admissionv1.Delete {
grName := resLabels["policy.kyverno.io/gr-name"]
gr, err := ws.grLister.Get(grName)
if err != nil {
@ -397,8 +397,8 @@ func (ws *WebhookServer) deleteGR(logger logr.Logger, engineResponse *response.E
}
}
func applyGenerateRequest(request *v1beta1.AdmissionRequest, gnGenerator generate.GenerateRequests, userRequestInfo kyverno.RequestInfo,
action v1beta1.Operation, engineResponses ...*response.EngineResponse) (failedGenerateRequest []generateRequestResponse) {
func applyGenerateRequest(request *admissionv1.AdmissionRequest, gnGenerator generate.GenerateRequests, userRequestInfo kyverno.RequestInfo,
action admissionv1.Operation, engineResponses ...*response.EngineResponse) (failedGenerateRequest []generateRequestResponse) {
requestBytes, err := json.Marshal(request)
if err != nil {

20
pkg/webhooks/handlers.go
View file

@ -19,7 +19,7 @@ import (
"github.com/kyverno/kyverno/pkg/utils"
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
"github.com/kyverno/kyverno/pkg/webhooks/handlers"
"k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
)
// TODO: use admission review sub resource ?
@ -36,12 +36,12 @@ func isStatusUpdate(old, new kyverno.PolicyInterface) bool {
return true
}
func errorResponse(logger logr.Logger, err error, message string) *v1beta1.AdmissionResponse {
func errorResponse(logger logr.Logger, err error, message string) *admissionv1.AdmissionResponse {
logger.Error(err, message)
return admissionutils.ResponseFailure(false, message+": "+err.Error())
}
func setupLogger(logger logr.Logger, name string, request *v1beta1.AdmissionRequest) logr.Logger {
func setupLogger(logger logr.Logger, name string, request *admissionv1.AdmissionRequest) logr.Logger {
return logger.WithName("MutateWebhook").WithValues(
"uid", request.UID,
"kind", request.Kind,
@ -59,7 +59,7 @@ func (ws *WebhookServer) admissionHandler(filter bool, inner handlers.AdmissionH
return handlers.Monitor(ws.webhookMonitor, handlers.Admission(ws.log, inner))
}
func (ws *WebhookServer) policyMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
func (ws *WebhookServer) policyMutation(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
logger := setupLogger(ws.log, "policy mutation", request)
policy, oldPolicy, err := admissionutils.GetPolicies(request)
if err != nil {
@ -81,7 +81,7 @@ func (ws *WebhookServer) policyMutation(request *v1beta1.AdmissionRequest) *v1be
}
//policyValidation performs the validation check on policy resource
func (ws *WebhookServer) policyValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
func (ws *WebhookServer) policyValidation(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
logger := setupLogger(ws.log, "policy validation", request)
policy, oldPolicy, err := admissionutils.GetPolicies(request)
if err != nil {
@ -107,12 +107,12 @@ func (ws *WebhookServer) policyValidation(request *v1beta1.AdmissionRequest) *v1
}
// resourceMutation mutates resource
func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
func (ws *WebhookServer) resourceMutation(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
logger := setupLogger(ws.log, "resource mutation", request)
if excludeKyvernoResources(request.Kind.Kind) {
return admissionutils.ResponseSuccess(true, "")
}
if request.Operation == v1beta1.Delete {
if request.Operation == admissionv1.Delete {
resource, err := utils.ConvertResource(request.OldObject.Raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
if err == nil {
ws.prGenerator.Add(buildDeletionPrInfo(resource))
@ -150,9 +150,9 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
return admissionutils.ResponseSuccessWithPatch(true, "", patches)
}
func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
func (ws *WebhookServer) resourceValidation(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
logger := setupLogger(ws.log, "resource validation", request)
if request.Operation == v1beta1.Delete {
if request.Operation == admissionv1.Delete {
ws.handleDelete(request)
}
if excludeKyvernoResources(request.Kind.Kind) {
@ -166,7 +166,7 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
nsPolicies := ws.pCache.GetPolicies(policycache.ValidateEnforce, request.Kind.Kind, request.Namespace)
policies = append(policies, nsPolicies...)
generatePolicies := ws.pCache.GetPolicies(policycache.Generate, request.Kind.Kind, request.Namespace)
if len(generatePolicies) == 0 && request.Operation == v1beta1.Update {
if len(generatePolicies) == 0 && request.Operation == admissionv1.Update {
// handle generate source resource updates
go ws.handleUpdatesForGenerateRules(request, []kyverno.PolicyInterface{})
}

12
pkg/webhooks/handlers/admission.go
View file

@ -11,10 +11,10 @@ import (
"github.com/kyverno/kyverno/pkg/config"
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
"github.com/kyverno/kyverno/pkg/webhookconfig"
"k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
)
type AdmissionHandler func(*v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse
type AdmissionHandler func(*admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse
func Admission(logger logr.Logger, inner AdmissionHandler) http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) {
@ -37,7 +37,7 @@ func Admission(logger logr.Logger, inner AdmissionHandler) http.HandlerFunc {
http.Error(writer, "invalid Content-Type, expect `application/json`", http.StatusUnsupportedMediaType)
return
}
admissionReview := &v1beta1.AdmissionReview{}
admissionReview := &admissionv1.AdmissionReview{}
if err := json.Unmarshal(body, &admissionReview); err != nil {
logger.Error(err, "failed to decode request body to type 'AdmissionReview")
http.Error(writer, "Can't decode body as AdmissionReview", http.StatusExpectationFailed)
@ -50,7 +50,7 @@ func Admission(logger logr.Logger, inner AdmissionHandler) http.HandlerFunc {
"operation", admissionReview.Request.Operation,
"uid", admissionReview.Request.UID,
)
admissionReview.Response = &v1beta1.AdmissionResponse{
admissionReview.Response = &admissionv1.AdmissionResponse{
Allowed: true,
UID: admissionReview.Request.UID,
}
@ -72,7 +72,7 @@ func Admission(logger logr.Logger, inner AdmissionHandler) http.HandlerFunc {
}
func Filter(c config.Interface, inner AdmissionHandler) AdmissionHandler {
return func(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
return func(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
if c.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
return nil
}
@ -81,7 +81,7 @@ func Filter(c config.Interface, inner AdmissionHandler) AdmissionHandler {
}
func Verify(m *webhookconfig.Monitor, logger logr.Logger) AdmissionHandler {
return func(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
return func(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
logger = logger.WithName("verifyHandler").WithValues(
"action", "verify",
"kind", request.Kind,

12
pkg/webhooks/mutation.go
View file

@ -14,12 +14,12 @@ import (
engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
"github.com/pkg/errors"
"k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)
func (ws *WebhookServer) applyMutatePolicies(request *v1beta1.AdmissionRequest, policyContext *engine.PolicyContext, policies []kyverno.PolicyInterface, ts int64, logger logr.Logger) []byte {
func (ws *WebhookServer) applyMutatePolicies(request *admissionv1.AdmissionRequest, policyContext *engine.PolicyContext, policies []kyverno.PolicyInterface, ts int64, logger logr.Logger) []byte {
var mutateEngineResponses []*response.EngineResponse
mutatePatches, mutateEngineResponses := ws.handleMutation(request, policyContext, policies)
@ -35,7 +35,7 @@ func (ws *WebhookServer) applyMutatePolicies(request *v1beta1.AdmissionRequest,
// handleMutation handles mutating webhook admission request
// return value: generated patches, triggered policies, engine responses correspdonding to the triggered policies
func (ws *WebhookServer) handleMutation(
request *v1beta1.AdmissionRequest,
request *admissionv1.AdmissionRequest,
policyContext *engine.PolicyContext,
policies []kyverno.PolicyInterface) ([]byte, []*response.EngineResponse) {
@ -64,7 +64,7 @@ func (ws *WebhookServer) handleMutation(
deletionTimeStamp = oldR.GetDeletionTimestamp()
}
if deletionTimeStamp != nil && request.Operation == v1beta1.Update {
if deletionTimeStamp != nil && request.Operation == admissionv1.Update {
return nil, nil
}
var patches [][]byte
@ -115,7 +115,7 @@ func (ws *WebhookServer) handleMutation(
// all policies were applied successfully.
// create an event on the resource
// ADD EVENTS
events := generateEvents(engineResponses, false, request.Operation == v1beta1.Update, logger)
events := generateEvents(engineResponses, false, request.Operation == admissionv1.Update, logger)
ws.eventGen.Add(events...)
// debug info
@ -134,7 +134,7 @@ func (ws *WebhookServer) handleMutation(
return jsonutils.JoinPatches(patches...), engineResponses
}
func (ws *WebhookServer) applyMutation(request *v1beta1.AdmissionRequest, policyContext *engine.PolicyContext, logger logr.Logger) (*response.EngineResponse, [][]byte, error) {
func (ws *WebhookServer) applyMutation(request *admissionv1.AdmissionRequest, policyContext *engine.PolicyContext, logger logr.Logger) (*response.EngineResponse, [][]byte, error) {
if request.Kind.Kind != "Namespace" && request.Namespace != "" {
policyContext.NamespaceLabels = common.GetNamespaceSelectorsFromNamespaceLister(
request.Kind.Kind, request.Namespace, ws.nsLister, logger)

8
pkg/webhooks/server.go
View file

@ -29,7 +29,7 @@ import (
webhookgenerate "github.com/kyverno/kyverno/pkg/webhooks/generate"
"github.com/kyverno/kyverno/pkg/webhooks/handlers"
"github.com/pkg/errors"
"k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
informers "k8s.io/client-go/informers/core/v1"
rbacinformer "k8s.io/client-go/informers/rbac/v1"
listerv1 "k8s.io/client-go/listers/core/v1"
@ -204,7 +204,7 @@ func NewWebhookServer(
return ws, nil
}
func (ws *WebhookServer) buildPolicyContext(request *v1beta1.AdmissionRequest, addRoles bool) (*engine.PolicyContext, error) {
func (ws *WebhookServer) buildPolicyContext(request *admissionv1.AdmissionRequest, addRoles bool) (*engine.PolicyContext, error) {
userRequestInfo := v1.RequestInfo{
AdmissionUserInfo: *request.UserInfo.DeepCopy(),
}
@ -232,7 +232,7 @@ func (ws *WebhookServer) buildPolicyContext(request *v1beta1.AdmissionRequest, a
return nil, errors.Wrap(err, "failed to add image information to the policy rule context")
}
if request.Kind.Kind == "Secret" && request.Operation == v1beta1.Update {
if request.Kind.Kind == "Secret" && request.Operation == admissionv1.Update {
resource, err = utils.NormalizeSecret(&resource)
if err != nil {
return nil, errors.Wrap(err, "failed to convert secret to unstructured format")
@ -248,7 +248,7 @@ func (ws *WebhookServer) buildPolicyContext(request *v1beta1.AdmissionRequest, a
Client: ws.client,
}
if request.Operation == v1beta1.Update {
if request.Operation == admissionv1.Update {
policyContext.OldResource = resource
}

12
pkg/webhooks/validate_audit.go
View file

@ -20,7 +20,7 @@ import (
"github.com/kyverno/kyverno/pkg/policycache"
"github.com/kyverno/kyverno/pkg/policyreport"
"github.com/kyverno/kyverno/pkg/userinfo"
"k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
"k8s.io/apimachinery/pkg/util/wait"
informers "k8s.io/client-go/informers/core/v1"
@ -41,7 +41,7 @@ const (
// the request is processed in background, with the exact same logic
// when process the admission request in the webhook
type AuditHandler interface {
Add(request *v1beta1.AdmissionRequest)
Add(request *admissionv1.AdmissionRequest)
Run(workers int, stopCh <-chan struct{})
}
@ -94,7 +94,7 @@ func NewValidateAuditHandler(pCache policycache.Interface,
}
}
func (h *auditHandler) Add(request *v1beta1.AdmissionRequest) {
func (h *auditHandler) Add(request *admissionv1.AdmissionRequest) {
h.log.V(4).Info("admission request added", "uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
h.queue.Add(request)
}
@ -131,7 +131,7 @@ func (h *auditHandler) processNextWorkItem() bool {
defer h.queue.Done(obj)
request, ok := obj.(*v1beta1.AdmissionRequest)
request, ok := obj.(*admissionv1.AdmissionRequest)
if !ok {
h.queue.Forget(obj)
h.log.Info("incorrect type: expecting type 'AdmissionRequest'", "object", obj)
@ -144,7 +144,7 @@ func (h *auditHandler) processNextWorkItem() bool {
return true
}
func (h *auditHandler) process(request *v1beta1.AdmissionRequest) error {
func (h *auditHandler) process(request *admissionv1.AdmissionRequest) error {
var roles, clusterRoles []string
var err error
// time at which the corresponding the admission request's processing got initiated
@ -205,7 +205,7 @@ func (h *auditHandler) process(request *v1beta1.AdmissionRequest) error {
return nil
}
func (h *auditHandler) handleErr(err error, key interface{}, request *v1beta1.AdmissionRequest) {
func (h *auditHandler) handleErr(err error, key interface{}, request *admissionv1.AdmissionRequest) {
logger := h.log.WithName("handleErr")
if err == nil {
h.queue.Forget(key)

10
pkg/webhooks/validation.go
View file

@ -12,7 +12,7 @@ import (
"github.com/kyverno/kyverno/pkg/metrics"
"github.com/kyverno/kyverno/pkg/policyreport"
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
v1beta1 "k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)
@ -28,7 +28,7 @@ type validationHandler struct {
// patchedResource is the (resource + patches) after applying mutation rules
func (v *validationHandler) handleValidation(
promConfig *metrics.PromConfig,
request *v1beta1.AdmissionRequest,
request *admissionv1.AdmissionRequest,
policies []v1.PolicyInterface,
policyContext *engine.PolicyContext,
namespaceLabels map[string]string,
@ -48,7 +48,7 @@ func (v *validationHandler) handleValidation(
deletionTimeStamp = policyContext.OldResource.GetDeletionTimestamp()
}
if deletionTimeStamp != nil && request.Operation == v1beta1.Update {
if deletionTimeStamp != nil && request.Operation == admissionv1.Update {
return true, ""
}
@ -94,7 +94,7 @@ func (v *validationHandler) handleValidation(
// Scenario 3:
// all policies were applied successfully.
// create an event on the resource
events := generateEvents(engineResponses, blocked, (request.Operation == v1beta1.Update), logger)
events := generateEvents(engineResponses, blocked, (request.Operation == admissionv1.Update), logger)
v.eventGen.Add(events...)
if blocked {
@ -109,7 +109,7 @@ func (v *validationHandler) handleValidation(
// reports are generated for non-managed pods/jobs only
// no need to create rcr for managed resources
if request.Operation == v1beta1.Delete {
if request.Operation == admissionv1.Delete {
managed := true
for _, er := range engineResponses {
if er.Policy != nil && !engine.ManagedPodResource(er.Policy, er.PatchedResource) {

6
pkg/webhooks/verify_images.go
View file

@ -10,10 +10,10 @@ import (
"github.com/kyverno/kyverno/pkg/policyreport"
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
"k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
)
func (ws *WebhookServer) applyImageVerifyPolicies(request *v1beta1.AdmissionRequest, policyContext *engine.PolicyContext, policies []v1.PolicyInterface, logger logr.Logger) ([]byte, error) {
func (ws *WebhookServer) applyImageVerifyPolicies(request *admissionv1.AdmissionRequest, policyContext *engine.PolicyContext, policies []v1.PolicyInterface, logger logr.Logger) ([]byte, error) {
ok, message, imagePatches := ws.handleVerifyImages(request, policyContext, policies)
if !ok {
return nil, errors.New(message)
@ -23,7 +23,7 @@ func (ws *WebhookServer) applyImageVerifyPolicies(request *v1beta1.AdmissionRequ
return imagePatches, nil
}
func (ws *WebhookServer) handleVerifyImages(request *v1beta1.AdmissionRequest,
func (ws *WebhookServer) handleVerifyImages(request *admissionv1.AdmissionRequest,
policyContext *engine.PolicyContext,
policies []v1.PolicyInterface) (bool, string, []byte) {