1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00

NK-10: Small fixes after dev testing

This commit is contained in:
belyshevdenis 2019-02-19 18:01:47 +02:00
parent 3661e012a5
commit 0f78f5cb82
6 changed files with 63 additions and 56 deletions

1
.gitignore vendored
View file

@ -4,3 +4,4 @@ pkg/apis/policy/v1alpha1/zz_generated.deepcopy.go
certs
kube-policy
Gopkg.lock
Dockerfile

View file

@ -54,7 +54,7 @@ func NewController(masterURL, kubeconfigPath string, logger *log.Logger) (*Contr
// Run is main controller thread
func (c *Controller) Run(stopCh <-chan struct{}) {
c.policyInformerFactory.Start(stopCh)
//c.policyInformerFactory.Start(stopCh)
}
// GetPolicies retrieves all policy resources
@ -62,13 +62,11 @@ func (c *Controller) Run(stopCh <-chan struct{}) {
func (c *Controller) GetPolicies() ([]*types.Policy, error) {
// Create nil Selector to grab all the policies
cachedPolicies, err := c.policyLister.List(labels.NewSelector())
var policies []*types.Policy
if err != nil {
return nil, err
}
var policies []*types.Policy
for _, elem := range cachedPolicies {
policies = append(policies, elem.DeepCopy())
}

View file

@ -8,15 +8,18 @@ Compiles the project to go executable, generates docker image and pushes it to t
### generate-server-cert.sh ###
Generates TLS certificate and key that used by webhook server. Example:
`scripts/generate-server-cert.sh --service=kube-policy-svc --namespace=my_namespace --serverIp=192.168.10.117`
* `--service` identifies the service for in-cluster webhook server. Do not specify it if you plan to run webhook server outside the cluster.
* `--namespace` identifies the namespace for in-cluster webhook server. Default value is "default".
* `--serverIp` is the IP of master node, it can be found in `~/.kube/config`: clusters.cluster[0].server. **The default is hardcoded value**, so you should explicitly specify it.
* `--service` identifies the service for in-cluster webhook server. Do not specify it if you plan to run webhook server outside the cluster, or cpecify 'localhost' if you want to run controller locally.
* `--namespace` identifies the namespace for in-cluster webhook server. Do not specify it if you plan to run controller locally.
* `--serverIp` is the IP of master node, it can be found in `~/.kube/config`: clusters.cluster[0].server. You should explicitly specify it.
### deploy-controller.sh ###
Prepares controller for current environment in 1 of 2 possible modes: free (local) and in-cluster. Usage:
`scripts/deploy-controller.sh --namespace=my_namespace --serverIp=192.168.10.117`
* --namespace identifies the namespace for in-cluster webhook server. Do not specify it if you plan to run webhook server outside the cluster.
* --serverIp is the IP of master node, means the same as for `generate-server-cert.sh`.
Prepares controller for free (local) or in-cluster use. Uses `generate-server-cert.sh` inside and has the same parameters with almost same meaning:
* `--service` - the name of the service which will be created for the controller. Use 'localhost' value to deploy controller locally. The default is 'kube-policu-svc'
* `--namespace` - the target namespace to deploy the controller. Do not specify it if you want to depoloy controller locally.
* `--serverIp` means the same as for `generate-server-cert.sh`
Examples:
`scripts/deploy-controller.sh --service=my-kube-policy --namespace=my_namespace --serverIp=192.168.10.117` - deploy controller to the cluster with master node '192.168.10.117' to the namespace 'my_namespace' as a service 'my-kube-policy'
`scripts/deploy-controller.sh --service=localhost --serverIp=192.168.10.117` - deploy controller locally for usage in cluster with mnaster node at '192.168.10.117'
### test-web-hook.sh ###
Quickly creates and deletes test config map. If your webhook server is running, you should see the corresponding output from it. Use this script after `deploy-controller.sh`.

View file

@ -3,6 +3,10 @@
for i in "$@"
do
case $i in
--service=*)
service_name="${i#*=}"
shift
;;
--namespace=*)
namespace="${i#*=}"
shift
@ -17,20 +21,17 @@ done
hub_user_name="nirmata"
project_name="kube-policy"
service_name="${project_name}-svc"
if [ -z "${service_name}" ]; then
service_name="${project_name}-svc"
fi
echo "Generating certificate for the service ${service_name}..."
certsGenerator="./scripts/generate-server-cert.sh"
chmod +x "${certsGenerator}"
if [ -z "${namespace}" ]; then # controller is launched locally
if [ -z "${namespace}" ]; then # controller should be launched locally
if [ -z "${serverIp}" ]; then
echo "--serverIp should be explicitly specified if --namespace is empty"
exit 1
fi
${certsGenerator} "--serverIp=${serverIp}" || exit 2
${certsGenerator} "--service=${service_name}" "--serverIp=${serverIp}" || exit 2
echo "Applying webhook..."
kubectl delete -f crd/MutatingWebhookConfiguration_local.yaml
@ -38,7 +39,7 @@ if [ -z "${namespace}" ]; then # controller is launched locally
echo -e "\n### You can build and run kube-policy project locally.\n### To check its work, run it with parameters -cert and -key, which contain generated TLS certificate and key (see their paths in log above)."
else # controller is launched within a cluster
else # controller should be launched within a cluster
${certsGenerator} "--service=${service_name}" "--namespace=${namespace}" "--serverIp=${serverIp}" || exit 2

View file

@ -18,10 +18,6 @@ case $i in
esac
done
if [ -z "${namespace}" ]; then
namespace="default"
fi
echo "service is $service"
echo "namespace is $namespace"
echo "serverIp is $serverIp"
@ -53,15 +49,18 @@ outKeyFile=${destdir}/server-key.pem
outCertFile=${destdir}/server.crt
openssl genrsa -out ${outKeyFile} 2048 || exit 2
if [ ! -z "${service}" ]; then
subjectCN="${service}.${namespace}.svc"
echo "Configuring work WITHIN a cluster with CN=${subjectCN}"
if [ ! -z "${namespace}" ]; then
subjectCN="${service}.${namespace}.svc"
else
subjectCN="${service}"
fi
else
subjectCN=${serverIp}
echo "Configuring work OUTSIDE a cluster with CN=${subjectCN}"
fi
openssl req -new -key ${destdir}/server-key.pem -subj "/CN=${subjectCN}" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf || exit 3
echo "Generating certificate for CN=${subjectCN}"
openssl req -new -key ${destdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf || exit 3
CSR_NAME=${service}.cert-request
kubectl delete csr ${CSR_NAME} 2>/dev/null

View file

@ -1,24 +1,22 @@
package server
import (
"io/ioutil"
"net/http"
//"net/http/httputil"
"crypto/tls"
"context"
"time"
"log"
"os"
"fmt"
"crypto/tls"
"encoding/json"
"fmt"
"io/ioutil"
"log"
"net/http"
"os"
"time"
v1beta1 "k8s.io/api/admission/v1beta1"
//appsv1 "k8s.io/api/apps/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/kubernetes/pkg/apis/core"
coreTypes "k8s.io/kubernetes/pkg/apis/core"
)
// WebhookServer is a struct that describes
// WebhookServer is a struct that describes
// TLS server with mutation webhook
type WebhookServer struct {
server http.Server
@ -37,7 +35,7 @@ func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
if admissionReview == nil {
return
}
admissionResponse := ws.mutate(admissionReview)
if admissionResponse != nil {
admissionReview.Response = admissionResponse
@ -53,7 +51,7 @@ func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
ws.logger.Printf("Response body: %v", string(responseJson))
if _, err := w.Write(responseJson); err != nil {
http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)
http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusOK)
}
}
@ -84,19 +82,20 @@ func (ws *WebhookServer) parseAdmissionReview(request *http.Request, writer http
http.Error(writer, "Can't decode body as AdmissionReview", http.StatusExpectationFailed)
return nil
} else {
ws.logger.Printf("Request body:\n%v", string(body))
return admissionReview
}
}
func (ws *WebhookServer) mutate(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
req := ar.Request
request := ar.Request
ws.logger.Printf("AdmissionReview for Kind=%v, Namespace=%v Name=%v (%v) UID=%v patchOperation=%v UserInfo=%v",
req.Kind.Kind, req.Namespace, req.Name, req.UID, req.Operation, req.UserInfo)
ws.logger.Printf("AdmissionReview for Kind=%v, Namespace=%v Name=%v UID=%v patchOperation=%v UserInfo=%v",
request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation, request.UserInfo)
if req.Kind.Kind == "ConfigMap" {
var configMap core.ConfigMap
if err := json.Unmarshal(req.Object.Raw, &configMap); err != nil {
if admissionRequired(request) {
var configMap coreTypes.ConfigMap
if err := json.Unmarshal(request.Object.Raw, &configMap); err != nil {
ws.logger.Printf("Could not unmarshal raw object: %v", err)
return &v1beta1.AdmissionResponse{
Result: &metav1.Status{
@ -108,9 +107,11 @@ func (ws *WebhookServer) mutate(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionR
ws.logger.Printf("CONFIG MAP DATA: %v=%v", k, v)
}
patch := patchOperation{
Path: "labels/isMutated",
Op: "Add",
Value: "TRUE",
Path: "labels",
Op: "Add",
Value: map[string]string{
"IS_MUTATED": "TRUE",
},
}
patchBytes, _ := json.Marshal(patch)
ws.logger.Printf("AdmissionResponse: patch=%v\n", "TODO")
@ -130,7 +131,11 @@ func (ws *WebhookServer) mutate(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionR
}
}
// RunAsync runs TLS server in separate
func admissionRequired(request *v1beta1.AdmissionRequest) bool {
return request.Kind.Kind == "ConfigMap"
}
// RunAsync runs TLS server in separate
// thread and returns control immediately
func (ws *WebhookServer) RunAsync() {
go func(ws *WebhookServer) {
@ -156,7 +161,7 @@ func NewWebhookServer(certFile string, keyFile string, logger *log.Logger) *Webh
if logger == nil {
logger = log.New(os.Stdout, "", log.LstdFlags|log.Lshortfile)
}
var config tls.Config
pair, err := tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
@ -165,9 +170,9 @@ func NewWebhookServer(certFile string, keyFile string, logger *log.Logger) *Webh
config.Certificates = []tls.Certificate{pair}
mux := http.NewServeMux()
ws := &WebhookServer {
server: http.Server {
ws := &WebhookServer{
server: http.Server{
Addr: ":443", // Listen on port for HTTPS requests
TLSConfig: &config,
Handler: mux,