mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 10:28:36 +00:00
Code Activity

refactor: use internal cmd package in kyverno (#5507)

Browse source
This commit is contained in:
Charles-Edouard Brétéché 2022-11-30 14:37:53 +01:00 committed by GitHub
parent 6fe8d773ee
commit 1ea4a0db19
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
17 changed files with 123 additions and 174 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

206
cmd/kyverno/main.go
View file

@ -6,7 +6,6 @@ import (
"errors"
"flag"
"fmt"
"net/http"
"os"
"strings"
"sync"
@ -61,107 +60,7 @@ const (
resyncPeriod = 15 * time.Minute
)
var (
// TODO: this has been added to backward support command line arguments
// will be removed in future and the configuration will be set only via configmaps
serverIP string
metricsPort string
webhookTimeout int
genWorkers int
maxQueuedEvents int
disableMetricsExport bool
otel string
otelCollector string
transportCreds string
autoUpdateWebhooks bool
imagePullSecrets string
imageSignatureRepository string
allowInsecureRegistry bool
webhookRegistrationTimeout time.Duration
backgroundScan bool
admissionReports bool
reportsChunkSize int
backgroundScanWorkers int
dumpPayload bool
leaderElectionRetryPeriod time.Duration
// DEPRECATED: remove in 1.9
splitPolicyReport bool
)
func parseFlags(config internal.Configuration) {
internal.InitFlags(config)
flag.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.")
flag.IntVar(&webhookTimeout, "webhookTimeout", webhookcontroller.DefaultWebhookTimeout, "Timeout for webhook configurations.")
flag.IntVar(&genWorkers, "genWorkers", 10, "Workers for generate controller.")
flag.IntVar(&maxQueuedEvents, "maxQueuedEvents", 1000, "Maximum events to be queued.")
flag.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.")
flag.BoolVar(&disableMetricsExport, "disableMetrics", false, "Set this flag to 'true' to disable metrics.")
flag.StringVar(&otel, "otelConfig", "prometheus", "Set this flag to 'grpc', to enable exporting metrics to an Opentelemetry Collector. The default collector is set to \"prometheus\"")
flag.StringVar(&otelCollector, "otelCollector", "opentelemetrycollector.kyverno.svc.cluster.local", "Set this flag to the OpenTelemetry Collector Service Address. Kyverno will try to connect to this on the metrics port.")
flag.StringVar(&transportCreds, "transportCreds", "", "Set this flag to the CA secret containing the certificate which is used by our Opentelemetry Metrics Client. If empty string is set, means an insecure connection will be used")
flag.StringVar(&metricsPort, "metricsPort", "8000", "Expose prometheus metrics at the given port, default to 8000.")
flag.StringVar(&imagePullSecrets, "imagePullSecrets", "", "Secret resource names for image registry access credentials.")
flag.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.")
flag.BoolVar(&allowInsecureRegistry, "allowInsecureRegistry", false, "Whether to allow insecure connections to registries. Don't use this for anything but testing.")
flag.BoolVar(&autoUpdateWebhooks, "autoUpdateWebhooks", true, "Set this flag to 'false' to disable auto-configuration of the webhook.")
flag.DurationVar(&webhookRegistrationTimeout, "webhookRegistrationTimeout", 120*time.Second, "Timeout for webhook registration, e.g., 30s, 1m, 5m.")
flag.Func(toggle.ProtectManagedResourcesFlagName, toggle.ProtectManagedResourcesDescription, toggle.ProtectManagedResources.Parse)
flag.BoolVar(&backgroundScan, "backgroundScan", true, "Enable or disable backgound scan.")
flag.Func(toggle.ForceFailurePolicyIgnoreFlagName, toggle.ForceFailurePolicyIgnoreDescription, toggle.ForceFailurePolicyIgnore.Parse)
flag.BoolVar(&admissionReports, "admissionReports", true, "Enable or disable admission reports.")
flag.IntVar(&reportsChunkSize, "reportsChunkSize", 1000, "Max number of results in generated reports, reports will be split accordingly if there are more results to be stored.")
flag.IntVar(&backgroundScanWorkers, "backgroundScanWorkers", backgroundscancontroller.Workers, "Configure the number of background scan workers.")
flag.DurationVar(&leaderElectionRetryPeriod, "leaderElectionRetryPeriod", leaderelection.DefaultRetryPeriod, "Configure leader election retry period.")
// DEPRECATED: remove in 1.9
flag.BoolVar(&splitPolicyReport, "splitPolicyReport", false, "This is deprecated, please don't use it, will be removed in v1.9.")
flag.Parse()
}
func setupMetrics(ctx context.Context, logger logr.Logger, kubeClient kubernetes.Interface) (*metrics.MetricsConfig, context.CancelFunc, error) {
logger = logger.WithName("metrics")
logger.Info("setup metrics...", "otel", otel, "port", metricsPort, "collector", otelCollector, "creds", transportCreds)
metricsConfiguration := internal.GetMetricsConfiguration(logger, kubeClient)
metricsAddr := ":" + metricsPort
metricsConfig, metricsServerMux, metricsPusher, err := metrics.InitMetrics(
ctx,
disableMetricsExport,
otel,
metricsAddr,
otelCollector,
metricsConfiguration,
transportCreds,
kubeClient,
logging.WithName("metrics"),
)
if err != nil {
return nil, nil, err
}
var cancel context.CancelFunc
if otel == "grpc" {
cancel = func() {
ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
defer cancel()
metrics.ShutDownController(ctx, metricsPusher)
}
}
if otel == "prometheus" {
go func() {
metricsServer := http.Server{
Addr: metricsAddr,
Handler: metricsServerMux,
ErrorLog: logging.StdLogger(logger, ""),
ReadHeaderTimeout: 30 * time.Second,
}
if err := metricsServer.ListenAndServe(); err != nil {
logger.Error(err, "failed to enable metrics", "address", metricsAddr)
os.Exit(1)
}
}()
}
return metricsConfig, cancel, nil
}
func setupRegistryClient(logger logr.Logger, kubeClient kubernetes.Interface) error {
func setupRegistryClient(logger logr.Logger, kubeClient kubernetes.Interface, imagePullSecrets string, allowInsecureRegistry bool) error {
logger = logger.WithName("registry-client")
logger.Info("setup registry client...", "secrets", imagePullSecrets, "insecure", allowInsecureRegistry)
var registryOptions []registryclient.Option
@ -180,7 +79,7 @@ func setupRegistryClient(logger logr.Logger, kubeClient kubernetes.Interface) er
return nil
}
func setupCosign(logger logr.Logger) {
func setupCosign(logger logr.Logger, imageSignatureRepository string) {
logger = logger.WithName("cosign")
logger.Info("setup cosign...", "repository", imageSignatureRepository)
if imageSignatureRepository != "" {
@ -188,7 +87,7 @@ func setupCosign(logger logr.Logger) {
}
}
func showWarnings(logger logr.Logger) {
func showWarnings(logger logr.Logger, splitPolicyReport bool) {
logger = logger.WithName("warnings")
// DEPRECATED: remove in 1.9
if splitPolicyReport {
@ -208,6 +107,7 @@ func sanityChecks(dynamicClient dclient.Interface) error {
}
func createNonLeaderControllers(
genWorkers int,
kubeInformer kubeinformers.SharedInformerFactory,
kubeKyvernoInformer kubeinformers.SharedInformerFactory,
kyvernoInformer kyvernoinformer.SharedInformerFactory,
@ -257,6 +157,8 @@ func createNonLeaderControllers(
func createReportControllers(
backgroundScan bool,
admissionReports bool,
reportsChunkSize int,
backgroundScanWorkers int,
client dclient.Interface,
kyvernoClient versioned.Interface,
metadataFactory metadatainformers.SharedInformerFactory,
@ -330,6 +232,13 @@ func createReportControllers(
}
func createrLeaderControllers(
backgroundScan bool,
admissionReports bool,
reportsChunkSize int,
backgroundScanWorkers int,
serverIP string,
webhookTimeout int,
autoUpdateWebhooks bool,
kubeInformer kubeinformers.SharedInformerFactory,
kubeKyvernoInformer kubeinformers.SharedInformerFactory,
kyvernoInformer kyvernoinformer.SharedInformerFactory,
@ -338,7 +247,7 @@ func createrLeaderControllers(
kyvernoClient versioned.Interface,
dynamicClient dclient.Interface,
configuration config.Configuration,
metricsConfig *metrics.MetricsConfig,
metricsConfig metrics.MetricsConfigManager,
eventGenerator event.Interface,
certRenewer tls.CertRenewer,
runtime runtimeutils.Runtime,
@ -386,6 +295,8 @@ func createrLeaderControllers(
reportControllers, warmup := createReportControllers(
backgroundScan,
admissionReports,
reportsChunkSize,
backgroundScanWorkers,
dynamicClient,
kyvernoClient,
metadataInformer,
@ -405,39 +316,67 @@ func createrLeaderControllers(
}
func main() {
var (
// TODO: this has been added to backward support command line arguments
// will be removed in future and the configuration will be set only via configmaps
serverIP string
webhookTimeout int
genWorkers int
maxQueuedEvents int
autoUpdateWebhooks bool
imagePullSecrets string
imageSignatureRepository string
allowInsecureRegistry bool
webhookRegistrationTimeout time.Duration
backgroundScan bool
admissionReports bool
reportsChunkSize int
backgroundScanWorkers int
dumpPayload bool
leaderElectionRetryPeriod time.Duration
// DEPRECATED: remove in 1.9
splitPolicyReport bool
)
flagset := flag.NewFlagSet("kyverno", flag.ExitOnError)
flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.")
flagset.IntVar(&webhookTimeout, "webhookTimeout", webhookcontroller.DefaultWebhookTimeout, "Timeout for webhook configurations.")
flagset.IntVar(&genWorkers, "genWorkers", 10, "Workers for generate controller.")
flagset.IntVar(&maxQueuedEvents, "maxQueuedEvents", 1000, "Maximum events to be queued.")
flagset.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.")
flagset.StringVar(&imagePullSecrets, "imagePullSecrets", "", "Secret resource names for image registry access credentials.")
flagset.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.")
flagset.BoolVar(&allowInsecureRegistry, "allowInsecureRegistry", false, "Whether to allow insecure connections to registries. Don't use this for anything but testing.")
flagset.BoolVar(&autoUpdateWebhooks, "autoUpdateWebhooks", true, "Set this flag to 'false' to disable auto-configuration of the webhook.")
flagset.DurationVar(&webhookRegistrationTimeout, "webhookRegistrationTimeout", 120*time.Second, "Timeout for webhook registration, e.g., 30s, 1m, 5m.")
flagset.Func(toggle.ProtectManagedResourcesFlagName, toggle.ProtectManagedResourcesDescription, toggle.ProtectManagedResources.Parse)
flagset.BoolVar(&backgroundScan, "backgroundScan", true, "Enable or disable backgound scan.")
flagset.Func(toggle.ForceFailurePolicyIgnoreFlagName, toggle.ForceFailurePolicyIgnoreDescription, toggle.ForceFailurePolicyIgnore.Parse)
flagset.BoolVar(&admissionReports, "admissionReports", true, "Enable or disable admission reports.")
flagset.IntVar(&reportsChunkSize, "reportsChunkSize", 1000, "Max number of results in generated reports, reports will be split accordingly if there are more results to be stored.")
flagset.IntVar(&backgroundScanWorkers, "backgroundScanWorkers", backgroundscancontroller.Workers, "Configure the number of background scan workers.")
flagset.DurationVar(&leaderElectionRetryPeriod, "leaderElectionRetryPeriod", leaderelection.DefaultRetryPeriod, "Configure leader election retry period.")
// DEPRECATED: remove in 1.9
flagset.BoolVar(&splitPolicyReport, "splitPolicyReport", false, "This is deprecated, please don't use it, will be removed in v1.9.")
// config
appConfig := internal.NewConfiguration(
internal.WithProfiling(),
internal.WithTracing(),
internal.WithMetrics(),
internal.WithKubeconfig(),
internal.WithFlagSets(flagset),
)
// parse flags
parseFlags(appConfig)
internal.ParseFlags(appConfig)
// setup logger
logger := internal.SetupLogger()
// setup maxprocs
undo := internal.SetupMaxProcs(logger)
defer undo()
// show version
showWarnings(logger)
// show version
internal.ShowVersion(logger)
// start profiling
internal.SetupProfiling(logger)
// create raw client
rawClient := internal.CreateKubernetesClient(logger)
// setup signals
signalCtx, signalCancel := internal.SetupSignals(logger)
defer signalCancel()
// setup maxprocs
// setup metrics
metricsConfig, metricsShutdown, err := setupMetrics(signalCtx, logger, rawClient)
if err != nil {
logger.Error(err, "failed to setup metrics")
os.Exit(1)
}
if metricsShutdown != nil {
defer metricsShutdown()
}
signalCtx, logger, metricsConfig, sdown := internal.Setup()
defer sdown()
// show version
showWarnings(logger, splitPolicyReport)
// create instrumented clients
kubeClient := internal.CreateKubernetesClient(logger, kubeclient.WithMetrics(metricsConfig, metrics.KubeClient), kubeclient.WithTracing())
leaderElectionClient := internal.CreateKubernetesClient(logger, kubeclient.WithMetrics(metricsConfig, metrics.KubeClient), kubeclient.WithTracing())
@ -449,16 +388,13 @@ func main() {
logger.Error(err, "failed to create dynamic client")
os.Exit(1)
}
// setup tracing
tracingShutdown := internal.SetupTracing(logger, "kyverno", kubeClient)
defer tracingShutdown()
// setup registry client
if err := setupRegistryClient(logger, kubeClient); err != nil {
if err := setupRegistryClient(logger, kubeClient, imagePullSecrets, allowInsecureRegistry); err != nil {
logger.Error(err, "failed to setup registry client")
os.Exit(1)
}
// setup cosign
setupCosign(logger)
setupCosign(logger, imageSignatureRepository)
// THIS IS AN UGLY FIX
// ELSE KYAML IS NOT THREAD SAFE
kyamlopenapi.Schema()
@ -510,6 +446,7 @@ func main() {
)
// create non leader controllers
nonLeaderControllers, nonLeaderBootstrap := createNonLeaderControllers(
genWorkers,
kubeInformer,
kubeKyvernoInformer,
kyvernoInformer,
@ -557,6 +494,13 @@ func main() {
metadataInformer := metadatainformers.NewSharedInformerFactory(metadataClient, 15*time.Minute)
// create leader controllers
leaderControllers, warmup, err := createrLeaderControllers(
backgroundScan,
admissionReports,
reportsChunkSize,
backgroundScanWorkers,
serverIP,
webhookTimeout,
autoUpdateWebhooks,
kubeInformer,
kubeKyvernoInformer,
kyvernoInformer,

4
pkg/controllers/metrics/policy/controller.go
View file

@ -12,13 +12,13 @@ import (
type controller struct {
// config
metricsConfig *metrics.MetricsConfig
metricsConfig metrics.MetricsConfigManager
}
// TODO: this is a very strange controller, it only processes events, this should be changed to a real controller
// but this is difficult as we currently can't remove existing metrics. To be reviewed when we implement a more
// solid metrics system.
func NewController(metricsConfig *metrics.MetricsConfig, cpolInformer kyvernov1informers.ClusterPolicyInformer, polInformer kyvernov1informers.PolicyInformer) {
func NewController(metricsConfig metrics.MetricsConfigManager, cpolInformer kyvernov1informers.ClusterPolicyInformer, polInformer kyvernov1informers.PolicyInformer) {
c := controller{
metricsConfig: metricsConfig,
}

2
pkg/metrics/fake.go
View file

@ -7,7 +7,7 @@ import (
func NewFakeMetricsConfig() *MetricsConfig {
mc := &MetricsConfig{
Config: config.NewDefaultMetricsConfiguration(),
config: config.NewDefaultMetricsConfiguration(),
Log: klog.NewKlogr(),
}
_ = mc.initializeMetrics()

4
pkg/metrics/init.go
View file

@ -20,14 +20,14 @@ func InitMetrics(
transportCreds string,
kubeClient kubernetes.Interface,
log logr.Logger,
) (*MetricsConfig, *http.ServeMux, *controller.Controller, error) {
) (MetricsConfigManager, *http.ServeMux, *controller.Controller, error) {
var err error
var metricsServerMux *http.ServeMux
var pusher *controller.Controller
metricsConfig := MetricsConfig{
Log: log,
Config: metricsConfiguration,
config: metricsConfiguration,
}
err = metricsConfig.initializeMetrics()

7
pkg/metrics/metrics.go
View file

@ -40,11 +40,12 @@ type MetricsConfig struct {
clientQueriesMetric syncint64.Counter
// config
Config kconfig.MetricsConfiguration
config kconfig.MetricsConfiguration
Log logr.Logger
}
type MetricsConfigManager interface {
Config() kconfig.MetricsConfiguration
RecordPolicyResults(ctx context.Context, policyValidationMode PolicyValidationMode, policyType PolicyType, policyBackgroundMode PolicyBackgroundMode, policyNamespace string, policyName string, resourceKind string, resourceNamespace string, resourceRequestOperation ResourceRequestOperation, ruleName string, ruleResult RuleResult, ruleType RuleType, ruleExecutionCause RuleExecutionCause)
RecordPolicyChanges(ctx context.Context, policyValidationMode PolicyValidationMode, policyType PolicyType, policyBackgroundMode PolicyBackgroundMode, policyNamespace string, policyName string, policyChangeType string)
RecordPolicyRuleInfo(ctx context.Context, policyValidationMode PolicyValidationMode, policyType PolicyType, policyBackgroundMode PolicyBackgroundMode, policyNamespace string, policyName string, ruleName string, ruleType RuleType, status string, metricValue float64)
@ -52,6 +53,10 @@ type MetricsConfigManager interface {
RecordClientQueries(ctx context.Context, clientQueryOperation ClientQueryOperation, clientType ClientType, resourceKind string, resourceNamespace string)
}
func (m *MetricsConfig) Config() kconfig.MetricsConfiguration {
return m.config
}
func (m *MetricsConfig) initializeMetrics() error {
var err error
meter := global.MeterProvider().Meter(MeterName)

6
pkg/metrics/policychanges/policyChanges.go
View file

@ -9,7 +9,7 @@ import (
func registerPolicyChangesMetric(
ctx context.Context,
m *metrics.MetricsConfig,
m metrics.MetricsConfigManager,
policyValidationMode metrics.PolicyValidationMode,
policyType metrics.PolicyType,
policyBackgroundMode metrics.PolicyBackgroundMode,
@ -19,12 +19,12 @@ func registerPolicyChangesMetric(
if policyType == metrics.Cluster {
policyNamespace = "-"
}
if m.Config.CheckNamespace(policyNamespace) {
if m.Config().CheckNamespace(policyNamespace) {
m.RecordPolicyChanges(ctx, policyValidationMode, policyType, policyBackgroundMode, policyNamespace, policyName, string(policyChangeType))
}
}
func RegisterPolicy(ctx context.Context, m *metrics.MetricsConfig, policy kyvernov1.PolicyInterface, policyChangeType PolicyChangeType) error {
func RegisterPolicy(ctx context.Context, m metrics.MetricsConfigManager, policy kyvernov1.PolicyInterface, policyChangeType PolicyChangeType) error {
name, namespace, policyType, backgroundMode, validationMode, err := metrics.GetPolicyInfos(policy)
if err != nil {
return err

6
pkg/metrics/policyexecutionduration/policyExecutionDuration.go
View file

@ -10,7 +10,7 @@ import (
func registerPolicyExecutionDurationMetric(
ctx context.Context,
m *metrics.MetricsConfig,
m metrics.MetricsConfigManager,
policyValidationMode metrics.PolicyValidationMode,
policyType metrics.PolicyType,
policyBackgroundMode metrics.PolicyBackgroundMode,
@ -25,14 +25,14 @@ func registerPolicyExecutionDurationMetric(
if policyType == metrics.Cluster {
policyNamespace = "-"
}
if m.Config.CheckNamespace(policyNamespace) {
if m.Config().CheckNamespace(policyNamespace) {
m.RecordPolicyExecutionDuration(ctx, policyValidationMode, policyType, policyBackgroundMode, policyNamespace, policyName, ruleName, ruleResult, ruleType, ruleExecutionCause, ruleExecutionLatency)
}
}
// policy - policy related data
// engineResponse - resource and rule related data
func ProcessEngineResponse(ctx context.Context, m *metrics.MetricsConfig, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse, executionCause metrics.RuleExecutionCause, resourceRequestOperation metrics.ResourceRequestOperation) error {
func ProcessEngineResponse(ctx context.Context, m metrics.MetricsConfigManager, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse, executionCause metrics.RuleExecutionCause, resourceRequestOperation metrics.ResourceRequestOperation) error {
name, namespace, policyType, backgroundMode, validationMode, err := metrics.GetPolicyInfos(policy)
if err != nil {
return err

6
pkg/metrics/policyresults/policyResults.go
View file

@ -10,7 +10,7 @@ import (
func registerPolicyResultsMetric(
ctx context.Context,
m *metrics.MetricsConfig,
m metrics.MetricsConfigManager,
policyValidationMode metrics.PolicyValidationMode,
policyType metrics.PolicyType,
policyBackgroundMode metrics.PolicyBackgroundMode,
@ -25,14 +25,14 @@ func registerPolicyResultsMetric(
if policyType == metrics.Cluster {
policyNamespace = "-"
}
if m.Config.CheckNamespace(policyNamespace) {
if m.Config().CheckNamespace(policyNamespace) {
m.RecordPolicyResults(ctx, policyValidationMode, policyType, policyBackgroundMode, policyNamespace, policyName, resourceKind, resourceNamespace, resourceRequestOperation, ruleName, ruleResult, ruleType, ruleExecutionCause)
}
}
// policy - policy related data
// engineResponse - resource and rule related data
func ProcessEngineResponse(ctx context.Context, m *metrics.MetricsConfig, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse, executionCause metrics.RuleExecutionCause, resourceRequestOperation metrics.ResourceRequestOperation) error {
func ProcessEngineResponse(ctx context.Context, m metrics.MetricsConfigManager, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse, executionCause metrics.RuleExecutionCause, resourceRequestOperation metrics.ResourceRequestOperation) error {
name, namespace, policyType, backgroundMode, validationMode, err := metrics.GetPolicyInfos(policy)
if err != nil {
return err

8
pkg/metrics/policyruleinfo/policyRuleInfo.go
View file

@ -11,7 +11,7 @@ import (
func registerPolicyRuleInfoMetric(
ctx context.Context,
m *metrics.MetricsConfig,
m metrics.MetricsConfigManager,
policyValidationMode metrics.PolicyValidationMode,
policyType metrics.PolicyType,
policyBackgroundMode metrics.PolicyBackgroundMode,
@ -29,7 +29,7 @@ func registerPolicyRuleInfoMetric(
default:
return fmt.Errorf("unknown metric change type found: %s", metricChangeType)
}
if m.Config.CheckNamespace(policyNamespace) {
if m.Config().CheckNamespace(policyNamespace) {
if policyType == metrics.Cluster {
policyNamespace = "-"
}
@ -42,7 +42,7 @@ func registerPolicyRuleInfoMetric(
return nil
}
func AddPolicy(ctx context.Context, m *metrics.MetricsConfig, policy kyvernov1.PolicyInterface) error {
func AddPolicy(ctx context.Context, m metrics.MetricsConfigManager, policy kyvernov1.PolicyInterface) error {
name, namespace, policyType, backgroundMode, validationMode, err := metrics.GetPolicyInfos(policy)
if err != nil {
return err
@ -58,7 +58,7 @@ func AddPolicy(ctx context.Context, m *metrics.MetricsConfig, policy kyvernov1.P
return nil
}
func RemovePolicy(ctx context.Context, m *metrics.MetricsConfig, policy kyvernov1.PolicyInterface) error {
func RemovePolicy(ctx context.Context, m metrics.MetricsConfigManager, policy kyvernov1.PolicyInterface) error {
name, namespace, policyType, backgroundMode, validationMode, err := metrics.GetPolicyInfos(policy)
if err != nil {
return err

4
pkg/policy/policy_controller.go
View file

@ -86,7 +86,7 @@ type PolicyController struct {
log logr.Logger
metricsConfig *metrics.MetricsConfig
metricsConfig metrics.MetricsConfigManager
}
// NewPolicyController create a new PolicyController
@ -101,7 +101,7 @@ func NewPolicyController(
namespaces corev1informers.NamespaceInformer,
log logr.Logger,
reconcilePeriod time.Duration,
metricsConfig *metrics.MetricsConfig,
metricsConfig metrics.MetricsConfigManager,
) (*PolicyController, error) {
// Event broad caster
eventBroadcaster := record.NewBroadcaster()

4
pkg/webhooks/resource/generation/generation.go
View file

@ -33,7 +33,7 @@ type GenerationHandler interface {
// TODO: why do we need to expose that ?
HandleUpdatesForGenerateRules(*admissionv1.AdmissionRequest, []kyvernov1.PolicyInterface)
Handle(
*metrics.MetricsConfig,
metrics.MetricsConfigManager,
*admissionv1.AdmissionRequest,
[]kyvernov1.PolicyInterface,
*engine.PolicyContext,
@ -76,7 +76,7 @@ type generationHandler struct {
// Handle handles admission-requests for policies with generate rules
func (h *generationHandler) Handle(
metricsConfig *metrics.MetricsConfig,
metricsConfig metrics.MetricsConfigManager,
request *admissionv1.AdmissionRequest,
policies []kyvernov1.PolicyInterface,
policyContext *engine.PolicyContext,

4
pkg/webhooks/resource/handlers.go
View file

@ -40,7 +40,7 @@ type handlers struct {
// config
configuration config.Configuration
metricsConfig *metrics.MetricsConfig
metricsConfig metrics.MetricsConfigManager
// cache
pCache policycache.Cache
@ -64,7 +64,7 @@ func NewHandlers(
client dclient.Interface,
kyvernoClient versioned.Interface,
configuration config.Configuration,
metricsConfig *metrics.MetricsConfig,
metricsConfig metrics.MetricsConfigManager,
pCache policycache.Cache,
nsLister corev1listers.NamespaceLister,
rbLister rbacv1listers.RoleBindingLister,

4
pkg/webhooks/resource/imageverification/handler.go
View file

@ -24,7 +24,7 @@ import (
type ImageVerificationHandler interface {
Handle(
*metrics.MetricsConfig,
metrics.MetricsConfigManager,
*admissionv1.AdmissionRequest,
[]kyvernov1.PolicyInterface,
*engine.PolicyContext,
@ -53,7 +53,7 @@ type imageVerificationHandler struct {
}
func (h *imageVerificationHandler) Handle(
metricsConfig *metrics.MetricsConfig,
metricsConfig metrics.MetricsConfigManager,
request *admissionv1.AdmissionRequest,
policies []kyvernov1.PolicyInterface,
policyContext *engine.PolicyContext,

6
pkg/webhooks/resource/mutation/mutation.go
View file

@ -30,7 +30,7 @@ type MutationHandler interface {
// If there are no errors in validating rule we apply generation rules
// patchedResource is the (resource + patches) after applying mutation rules
HandleMutation(
*metrics.MetricsConfig,
metrics.MetricsConfigManager,
*admissionv1.AdmissionRequest,
[]kyvernov1.PolicyInterface,
*engine.PolicyContext,
@ -61,7 +61,7 @@ type mutationHandler struct {
}
func (h *mutationHandler) HandleMutation(
metricsConfig *metrics.MetricsConfig,
metricsConfig metrics.MetricsConfigManager,
request *admissionv1.AdmissionRequest,
policies []kyvernov1.PolicyInterface,
policyContext *engine.PolicyContext,
@ -78,7 +78,7 @@ func (h *mutationHandler) HandleMutation(
// applyMutations handles mutating webhook admission request
// return value: generated patches, triggered policies, engine responses correspdonding to the triggered policies
func (v *mutationHandler) applyMutations(
metricsConfig *metrics.MetricsConfig,
metricsConfig metrics.MetricsConfigManager,
request *admissionv1.AdmissionRequest,
policies []kyvernov1.PolicyInterface,
policyContext *engine.PolicyContext,

4
pkg/webhooks/resource/validation/validation.go
View file

@ -27,7 +27,7 @@ type ValidationHandler interface {
// HandleValidation handles validating webhook admission request
// If there are no errors in validating rule we apply generation rules
// patchedResource is the (resource + patches) after applying mutation rules
HandleValidation(*metrics.MetricsConfig, *admissionv1.AdmissionRequest, []kyvernov1.PolicyInterface, *engine.PolicyContext, map[string]string, time.Time) (bool, string, []string)
HandleValidation(metrics.MetricsConfigManager, *admissionv1.AdmissionRequest, []kyvernov1.PolicyInterface, *engine.PolicyContext, map[string]string, time.Time) (bool, string, []string)
}
func NewValidationHandler(
@ -58,7 +58,7 @@ type validationHandler struct {
}
func (v *validationHandler) HandleValidation(
metricsConfig *metrics.MetricsConfig,
metricsConfig metrics.MetricsConfigManager,
request *admissionv1.AdmissionRequest,
policies []kyvernov1.PolicyInterface,
policyContext *engine.PolicyContext,

10
pkg/webhooks/server.go
View file

@ -67,7 +67,7 @@ func NewServer(
policyHandlers PolicyHandlers,
resourceHandlers ResourceHandlers,
configuration config.Configuration,
metricsConfig *metrics.MetricsConfig,
metricsConfig metrics.MetricsConfigManager,
debugModeOpts DebugModeOptions,
tlsProvider TlsProvider,
mwcClient controllerutils.DeleteClient[*admissionregistrationv1.MutatingWebhookConfiguration],
@ -90,7 +90,7 @@ func NewServer(
WithProtection(toggle.ProtectManagedResources.Enabled()).
WithDump(debugModeOpts.DumpPayload).
WithOperationFilter(admissionv1.Create, admissionv1.Update, admissionv1.Connect).
WithMetrics(resourceLogger, metricsConfig.Config, metrics.WebhookMutating).
WithMetrics(resourceLogger, metricsConfig.Config(), metrics.WebhookMutating).
WithAdmission(resourceLogger.WithName("mutate"))
},
)
@ -104,7 +104,7 @@ func NewServer(
WithFilter(configuration).
WithProtection(toggle.ProtectManagedResources.Enabled()).
WithDump(debugModeOpts.DumpPayload).
WithMetrics(resourceLogger, metricsConfig.Config, metrics.WebhookValidating).
WithMetrics(resourceLogger, metricsConfig.Config(), metrics.WebhookValidating).
WithAdmission(resourceLogger.WithName("validate"))
},
)
@ -113,7 +113,7 @@ func NewServer(
config.PolicyMutatingWebhookServicePath,
handlers.FromAdmissionFunc("MUTATE", policyHandlers.Mutate).
WithDump(debugModeOpts.DumpPayload).
WithMetrics(policyLogger, metricsConfig.Config, metrics.WebhookMutating).
WithMetrics(policyLogger, metricsConfig.Config(), metrics.WebhookMutating).
WithAdmission(policyLogger.WithName("mutate")).
ToHandlerFunc(),
)
@ -123,7 +123,7 @@ func NewServer(
handlers.FromAdmissionFunc("VALIDATE", policyHandlers.Validate).
WithDump(debugModeOpts.DumpPayload).
WithSubResourceFilter().
WithMetrics(policyLogger, metricsConfig.Config, metrics.WebhookValidating).
WithMetrics(policyLogger, metricsConfig.Config(), metrics.WebhookValidating).
WithAdmission(policyLogger.WithName("validate")).
ToHandlerFunc(),
)

12
pkg/webhooks/utils/metrics.go
View file

@ -26,19 +26,19 @@ func registerMetric(logger logr.Logger, m string, requestOperation string, r rep
// POLICY RESULTS
func RegisterPolicyResultsMetricMutation(ctx context.Context, logger logr.Logger, metricsConfig *metrics.MetricsConfig, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
func RegisterPolicyResultsMetricMutation(ctx context.Context, logger logr.Logger, metricsConfig metrics.MetricsConfigManager, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
registerMetric(logger, "kyverno_policy_results_total", requestOperation, func(op metrics.ResourceRequestOperation) error {
return policyResults.ProcessEngineResponse(ctx, metricsConfig, policy, engineResponse, metrics.AdmissionRequest, op)
})
}
func RegisterPolicyResultsMetricValidation(ctx context.Context, logger logr.Logger, metricsConfig *metrics.MetricsConfig, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
func RegisterPolicyResultsMetricValidation(ctx context.Context, logger logr.Logger, metricsConfig metrics.MetricsConfigManager, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
registerMetric(logger, "kyverno_policy_results_total", requestOperation, func(op metrics.ResourceRequestOperation) error {
return policyResults.ProcessEngineResponse(ctx, metricsConfig, policy, engineResponse, metrics.AdmissionRequest, op)
})
}
func RegisterPolicyResultsMetricGeneration(ctx context.Context, logger logr.Logger, metricsConfig *metrics.MetricsConfig, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
func RegisterPolicyResultsMetricGeneration(ctx context.Context, logger logr.Logger, metricsConfig metrics.MetricsConfigManager, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
registerMetric(logger, "kyverno_policy_results_total", requestOperation, func(op metrics.ResourceRequestOperation) error {
return policyResults.ProcessEngineResponse(ctx, metricsConfig, policy, engineResponse, metrics.AdmissionRequest, op)
})
@ -46,19 +46,19 @@ func RegisterPolicyResultsMetricGeneration(ctx context.Context, logger logr.Logg
// POLICY EXECUTION
func RegisterPolicyExecutionDurationMetricMutate(ctx context.Context, logger logr.Logger, metricsConfig *metrics.MetricsConfig, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
func RegisterPolicyExecutionDurationMetricMutate(ctx context.Context, logger logr.Logger, metricsConfig metrics.MetricsConfigManager, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
registerMetric(logger, "kyverno_policy_execution_duration_seconds", requestOperation, func(op metrics.ResourceRequestOperation) error {
return policyExecutionDuration.ProcessEngineResponse(ctx, metricsConfig, policy, engineResponse, metrics.AdmissionRequest, op)
})
}
func RegisterPolicyExecutionDurationMetricValidate(ctx context.Context, logger logr.Logger, metricsConfig *metrics.MetricsConfig, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
func RegisterPolicyExecutionDurationMetricValidate(ctx context.Context, logger logr.Logger, metricsConfig metrics.MetricsConfigManager, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
registerMetric(logger, "kyverno_policy_execution_duration_seconds", requestOperation, func(op metrics.ResourceRequestOperation) error {
return policyExecutionDuration.ProcessEngineResponse(ctx, metricsConfig, policy, engineResponse, metrics.AdmissionRequest, op)
})
}
func RegisterPolicyExecutionDurationMetricGenerate(ctx context.Context, logger logr.Logger, metricsConfig *metrics.MetricsConfig, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
func RegisterPolicyExecutionDurationMetricGenerate(ctx context.Context, logger logr.Logger, metricsConfig metrics.MetricsConfigManager, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
registerMetric(logger, "kyverno_policy_execution_duration_seconds", requestOperation, func(op metrics.ResourceRequestOperation) error {
return policyExecutionDuration.ProcessEngineResponse(ctx, metricsConfig, policy, engineResponse, metrics.AdmissionRequest, op)
})