mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-13 19:28:55 +00:00
refactor: use internal cmd package in kyverno (#5507)
This commit is contained in:
parent
6fe8d773ee
commit
1ea4a0db19
17 changed files with 123 additions and 174 deletions
|
@ -6,7 +6,6 @@ import (
|
|||
"errors"
|
||||
"flag"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"os"
|
||||
"strings"
|
||||
"sync"
|
||||
|
@ -61,107 +60,7 @@ const (
|
|||
resyncPeriod = 15 * time.Minute
|
||||
)
|
||||
|
||||
var (
|
||||
// TODO: this has been added to backward support command line arguments
|
||||
// will be removed in future and the configuration will be set only via configmaps
|
||||
serverIP string
|
||||
metricsPort string
|
||||
webhookTimeout int
|
||||
genWorkers int
|
||||
maxQueuedEvents int
|
||||
disableMetricsExport bool
|
||||
otel string
|
||||
otelCollector string
|
||||
transportCreds string
|
||||
autoUpdateWebhooks bool
|
||||
imagePullSecrets string
|
||||
imageSignatureRepository string
|
||||
allowInsecureRegistry bool
|
||||
webhookRegistrationTimeout time.Duration
|
||||
backgroundScan bool
|
||||
admissionReports bool
|
||||
reportsChunkSize int
|
||||
backgroundScanWorkers int
|
||||
dumpPayload bool
|
||||
leaderElectionRetryPeriod time.Duration
|
||||
// DEPRECATED: remove in 1.9
|
||||
splitPolicyReport bool
|
||||
)
|
||||
|
||||
func parseFlags(config internal.Configuration) {
|
||||
internal.InitFlags(config)
|
||||
flag.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.")
|
||||
flag.IntVar(&webhookTimeout, "webhookTimeout", webhookcontroller.DefaultWebhookTimeout, "Timeout for webhook configurations.")
|
||||
flag.IntVar(&genWorkers, "genWorkers", 10, "Workers for generate controller.")
|
||||
flag.IntVar(&maxQueuedEvents, "maxQueuedEvents", 1000, "Maximum events to be queued.")
|
||||
flag.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.")
|
||||
flag.BoolVar(&disableMetricsExport, "disableMetrics", false, "Set this flag to 'true' to disable metrics.")
|
||||
flag.StringVar(&otel, "otelConfig", "prometheus", "Set this flag to 'grpc', to enable exporting metrics to an Opentelemetry Collector. The default collector is set to \"prometheus\"")
|
||||
flag.StringVar(&otelCollector, "otelCollector", "opentelemetrycollector.kyverno.svc.cluster.local", "Set this flag to the OpenTelemetry Collector Service Address. Kyverno will try to connect to this on the metrics port.")
|
||||
flag.StringVar(&transportCreds, "transportCreds", "", "Set this flag to the CA secret containing the certificate which is used by our Opentelemetry Metrics Client. If empty string is set, means an insecure connection will be used")
|
||||
flag.StringVar(&metricsPort, "metricsPort", "8000", "Expose prometheus metrics at the given port, default to 8000.")
|
||||
flag.StringVar(&imagePullSecrets, "imagePullSecrets", "", "Secret resource names for image registry access credentials.")
|
||||
flag.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.")
|
||||
flag.BoolVar(&allowInsecureRegistry, "allowInsecureRegistry", false, "Whether to allow insecure connections to registries. Don't use this for anything but testing.")
|
||||
flag.BoolVar(&autoUpdateWebhooks, "autoUpdateWebhooks", true, "Set this flag to 'false' to disable auto-configuration of the webhook.")
|
||||
flag.DurationVar(&webhookRegistrationTimeout, "webhookRegistrationTimeout", 120*time.Second, "Timeout for webhook registration, e.g., 30s, 1m, 5m.")
|
||||
flag.Func(toggle.ProtectManagedResourcesFlagName, toggle.ProtectManagedResourcesDescription, toggle.ProtectManagedResources.Parse)
|
||||
flag.BoolVar(&backgroundScan, "backgroundScan", true, "Enable or disable backgound scan.")
|
||||
flag.Func(toggle.ForceFailurePolicyIgnoreFlagName, toggle.ForceFailurePolicyIgnoreDescription, toggle.ForceFailurePolicyIgnore.Parse)
|
||||
flag.BoolVar(&admissionReports, "admissionReports", true, "Enable or disable admission reports.")
|
||||
flag.IntVar(&reportsChunkSize, "reportsChunkSize", 1000, "Max number of results in generated reports, reports will be split accordingly if there are more results to be stored.")
|
||||
flag.IntVar(&backgroundScanWorkers, "backgroundScanWorkers", backgroundscancontroller.Workers, "Configure the number of background scan workers.")
|
||||
flag.DurationVar(&leaderElectionRetryPeriod, "leaderElectionRetryPeriod", leaderelection.DefaultRetryPeriod, "Configure leader election retry period.")
|
||||
// DEPRECATED: remove in 1.9
|
||||
flag.BoolVar(&splitPolicyReport, "splitPolicyReport", false, "This is deprecated, please don't use it, will be removed in v1.9.")
|
||||
flag.Parse()
|
||||
}
|
||||
|
||||
func setupMetrics(ctx context.Context, logger logr.Logger, kubeClient kubernetes.Interface) (*metrics.MetricsConfig, context.CancelFunc, error) {
|
||||
logger = logger.WithName("metrics")
|
||||
logger.Info("setup metrics...", "otel", otel, "port", metricsPort, "collector", otelCollector, "creds", transportCreds)
|
||||
metricsConfiguration := internal.GetMetricsConfiguration(logger, kubeClient)
|
||||
metricsAddr := ":" + metricsPort
|
||||
metricsConfig, metricsServerMux, metricsPusher, err := metrics.InitMetrics(
|
||||
ctx,
|
||||
disableMetricsExport,
|
||||
otel,
|
||||
metricsAddr,
|
||||
otelCollector,
|
||||
metricsConfiguration,
|
||||
transportCreds,
|
||||
kubeClient,
|
||||
logging.WithName("metrics"),
|
||||
)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
var cancel context.CancelFunc
|
||||
if otel == "grpc" {
|
||||
cancel = func() {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
|
||||
defer cancel()
|
||||
metrics.ShutDownController(ctx, metricsPusher)
|
||||
}
|
||||
}
|
||||
if otel == "prometheus" {
|
||||
go func() {
|
||||
metricsServer := http.Server{
|
||||
Addr: metricsAddr,
|
||||
Handler: metricsServerMux,
|
||||
ErrorLog: logging.StdLogger(logger, ""),
|
||||
ReadHeaderTimeout: 30 * time.Second,
|
||||
}
|
||||
if err := metricsServer.ListenAndServe(); err != nil {
|
||||
logger.Error(err, "failed to enable metrics", "address", metricsAddr)
|
||||
os.Exit(1)
|
||||
}
|
||||
}()
|
||||
}
|
||||
return metricsConfig, cancel, nil
|
||||
}
|
||||
|
||||
func setupRegistryClient(logger logr.Logger, kubeClient kubernetes.Interface) error {
|
||||
func setupRegistryClient(logger logr.Logger, kubeClient kubernetes.Interface, imagePullSecrets string, allowInsecureRegistry bool) error {
|
||||
logger = logger.WithName("registry-client")
|
||||
logger.Info("setup registry client...", "secrets", imagePullSecrets, "insecure", allowInsecureRegistry)
|
||||
var registryOptions []registryclient.Option
|
||||
|
@ -180,7 +79,7 @@ func setupRegistryClient(logger logr.Logger, kubeClient kubernetes.Interface) er
|
|||
return nil
|
||||
}
|
||||
|
||||
func setupCosign(logger logr.Logger) {
|
||||
func setupCosign(logger logr.Logger, imageSignatureRepository string) {
|
||||
logger = logger.WithName("cosign")
|
||||
logger.Info("setup cosign...", "repository", imageSignatureRepository)
|
||||
if imageSignatureRepository != "" {
|
||||
|
@ -188,7 +87,7 @@ func setupCosign(logger logr.Logger) {
|
|||
}
|
||||
}
|
||||
|
||||
func showWarnings(logger logr.Logger) {
|
||||
func showWarnings(logger logr.Logger, splitPolicyReport bool) {
|
||||
logger = logger.WithName("warnings")
|
||||
// DEPRECATED: remove in 1.9
|
||||
if splitPolicyReport {
|
||||
|
@ -208,6 +107,7 @@ func sanityChecks(dynamicClient dclient.Interface) error {
|
|||
}
|
||||
|
||||
func createNonLeaderControllers(
|
||||
genWorkers int,
|
||||
kubeInformer kubeinformers.SharedInformerFactory,
|
||||
kubeKyvernoInformer kubeinformers.SharedInformerFactory,
|
||||
kyvernoInformer kyvernoinformer.SharedInformerFactory,
|
||||
|
@ -257,6 +157,8 @@ func createNonLeaderControllers(
|
|||
func createReportControllers(
|
||||
backgroundScan bool,
|
||||
admissionReports bool,
|
||||
reportsChunkSize int,
|
||||
backgroundScanWorkers int,
|
||||
client dclient.Interface,
|
||||
kyvernoClient versioned.Interface,
|
||||
metadataFactory metadatainformers.SharedInformerFactory,
|
||||
|
@ -330,6 +232,13 @@ func createReportControllers(
|
|||
}
|
||||
|
||||
func createrLeaderControllers(
|
||||
backgroundScan bool,
|
||||
admissionReports bool,
|
||||
reportsChunkSize int,
|
||||
backgroundScanWorkers int,
|
||||
serverIP string,
|
||||
webhookTimeout int,
|
||||
autoUpdateWebhooks bool,
|
||||
kubeInformer kubeinformers.SharedInformerFactory,
|
||||
kubeKyvernoInformer kubeinformers.SharedInformerFactory,
|
||||
kyvernoInformer kyvernoinformer.SharedInformerFactory,
|
||||
|
@ -338,7 +247,7 @@ func createrLeaderControllers(
|
|||
kyvernoClient versioned.Interface,
|
||||
dynamicClient dclient.Interface,
|
||||
configuration config.Configuration,
|
||||
metricsConfig *metrics.MetricsConfig,
|
||||
metricsConfig metrics.MetricsConfigManager,
|
||||
eventGenerator event.Interface,
|
||||
certRenewer tls.CertRenewer,
|
||||
runtime runtimeutils.Runtime,
|
||||
|
@ -386,6 +295,8 @@ func createrLeaderControllers(
|
|||
reportControllers, warmup := createReportControllers(
|
||||
backgroundScan,
|
||||
admissionReports,
|
||||
reportsChunkSize,
|
||||
backgroundScanWorkers,
|
||||
dynamicClient,
|
||||
kyvernoClient,
|
||||
metadataInformer,
|
||||
|
@ -405,39 +316,67 @@ func createrLeaderControllers(
|
|||
}
|
||||
|
||||
func main() {
|
||||
var (
|
||||
// TODO: this has been added to backward support command line arguments
|
||||
// will be removed in future and the configuration will be set only via configmaps
|
||||
serverIP string
|
||||
webhookTimeout int
|
||||
genWorkers int
|
||||
maxQueuedEvents int
|
||||
autoUpdateWebhooks bool
|
||||
imagePullSecrets string
|
||||
imageSignatureRepository string
|
||||
allowInsecureRegistry bool
|
||||
webhookRegistrationTimeout time.Duration
|
||||
backgroundScan bool
|
||||
admissionReports bool
|
||||
reportsChunkSize int
|
||||
backgroundScanWorkers int
|
||||
dumpPayload bool
|
||||
leaderElectionRetryPeriod time.Duration
|
||||
// DEPRECATED: remove in 1.9
|
||||
splitPolicyReport bool
|
||||
)
|
||||
flagset := flag.NewFlagSet("kyverno", flag.ExitOnError)
|
||||
flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.")
|
||||
flagset.IntVar(&webhookTimeout, "webhookTimeout", webhookcontroller.DefaultWebhookTimeout, "Timeout for webhook configurations.")
|
||||
flagset.IntVar(&genWorkers, "genWorkers", 10, "Workers for generate controller.")
|
||||
flagset.IntVar(&maxQueuedEvents, "maxQueuedEvents", 1000, "Maximum events to be queued.")
|
||||
flagset.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.")
|
||||
flagset.StringVar(&imagePullSecrets, "imagePullSecrets", "", "Secret resource names for image registry access credentials.")
|
||||
flagset.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.")
|
||||
flagset.BoolVar(&allowInsecureRegistry, "allowInsecureRegistry", false, "Whether to allow insecure connections to registries. Don't use this for anything but testing.")
|
||||
flagset.BoolVar(&autoUpdateWebhooks, "autoUpdateWebhooks", true, "Set this flag to 'false' to disable auto-configuration of the webhook.")
|
||||
flagset.DurationVar(&webhookRegistrationTimeout, "webhookRegistrationTimeout", 120*time.Second, "Timeout for webhook registration, e.g., 30s, 1m, 5m.")
|
||||
flagset.Func(toggle.ProtectManagedResourcesFlagName, toggle.ProtectManagedResourcesDescription, toggle.ProtectManagedResources.Parse)
|
||||
flagset.BoolVar(&backgroundScan, "backgroundScan", true, "Enable or disable backgound scan.")
|
||||
flagset.Func(toggle.ForceFailurePolicyIgnoreFlagName, toggle.ForceFailurePolicyIgnoreDescription, toggle.ForceFailurePolicyIgnore.Parse)
|
||||
flagset.BoolVar(&admissionReports, "admissionReports", true, "Enable or disable admission reports.")
|
||||
flagset.IntVar(&reportsChunkSize, "reportsChunkSize", 1000, "Max number of results in generated reports, reports will be split accordingly if there are more results to be stored.")
|
||||
flagset.IntVar(&backgroundScanWorkers, "backgroundScanWorkers", backgroundscancontroller.Workers, "Configure the number of background scan workers.")
|
||||
flagset.DurationVar(&leaderElectionRetryPeriod, "leaderElectionRetryPeriod", leaderelection.DefaultRetryPeriod, "Configure leader election retry period.")
|
||||
// DEPRECATED: remove in 1.9
|
||||
flagset.BoolVar(&splitPolicyReport, "splitPolicyReport", false, "This is deprecated, please don't use it, will be removed in v1.9.")
|
||||
// config
|
||||
appConfig := internal.NewConfiguration(
|
||||
internal.WithProfiling(),
|
||||
internal.WithTracing(),
|
||||
internal.WithMetrics(),
|
||||
internal.WithKubeconfig(),
|
||||
internal.WithFlagSets(flagset),
|
||||
)
|
||||
// parse flags
|
||||
parseFlags(appConfig)
|
||||
internal.ParseFlags(appConfig)
|
||||
// setup logger
|
||||
logger := internal.SetupLogger()
|
||||
// setup maxprocs
|
||||
undo := internal.SetupMaxProcs(logger)
|
||||
defer undo()
|
||||
// show version
|
||||
showWarnings(logger)
|
||||
// show version
|
||||
internal.ShowVersion(logger)
|
||||
// start profiling
|
||||
internal.SetupProfiling(logger)
|
||||
// create raw client
|
||||
rawClient := internal.CreateKubernetesClient(logger)
|
||||
// setup signals
|
||||
signalCtx, signalCancel := internal.SetupSignals(logger)
|
||||
defer signalCancel()
|
||||
// setup maxprocs
|
||||
// setup metrics
|
||||
metricsConfig, metricsShutdown, err := setupMetrics(signalCtx, logger, rawClient)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to setup metrics")
|
||||
os.Exit(1)
|
||||
}
|
||||
if metricsShutdown != nil {
|
||||
defer metricsShutdown()
|
||||
}
|
||||
signalCtx, logger, metricsConfig, sdown := internal.Setup()
|
||||
defer sdown()
|
||||
// show version
|
||||
showWarnings(logger, splitPolicyReport)
|
||||
// create instrumented clients
|
||||
kubeClient := internal.CreateKubernetesClient(logger, kubeclient.WithMetrics(metricsConfig, metrics.KubeClient), kubeclient.WithTracing())
|
||||
leaderElectionClient := internal.CreateKubernetesClient(logger, kubeclient.WithMetrics(metricsConfig, metrics.KubeClient), kubeclient.WithTracing())
|
||||
|
@ -449,16 +388,13 @@ func main() {
|
|||
logger.Error(err, "failed to create dynamic client")
|
||||
os.Exit(1)
|
||||
}
|
||||
// setup tracing
|
||||
tracingShutdown := internal.SetupTracing(logger, "kyverno", kubeClient)
|
||||
defer tracingShutdown()
|
||||
// setup registry client
|
||||
if err := setupRegistryClient(logger, kubeClient); err != nil {
|
||||
if err := setupRegistryClient(logger, kubeClient, imagePullSecrets, allowInsecureRegistry); err != nil {
|
||||
logger.Error(err, "failed to setup registry client")
|
||||
os.Exit(1)
|
||||
}
|
||||
// setup cosign
|
||||
setupCosign(logger)
|
||||
setupCosign(logger, imageSignatureRepository)
|
||||
// THIS IS AN UGLY FIX
|
||||
// ELSE KYAML IS NOT THREAD SAFE
|
||||
kyamlopenapi.Schema()
|
||||
|
@ -510,6 +446,7 @@ func main() {
|
|||
)
|
||||
// create non leader controllers
|
||||
nonLeaderControllers, nonLeaderBootstrap := createNonLeaderControllers(
|
||||
genWorkers,
|
||||
kubeInformer,
|
||||
kubeKyvernoInformer,
|
||||
kyvernoInformer,
|
||||
|
@ -557,6 +494,13 @@ func main() {
|
|||
metadataInformer := metadatainformers.NewSharedInformerFactory(metadataClient, 15*time.Minute)
|
||||
// create leader controllers
|
||||
leaderControllers, warmup, err := createrLeaderControllers(
|
||||
backgroundScan,
|
||||
admissionReports,
|
||||
reportsChunkSize,
|
||||
backgroundScanWorkers,
|
||||
serverIP,
|
||||
webhookTimeout,
|
||||
autoUpdateWebhooks,
|
||||
kubeInformer,
|
||||
kubeKyvernoInformer,
|
||||
kyvernoInformer,
|
||||
|
|
|
@ -12,13 +12,13 @@ import (
|
|||
|
||||
type controller struct {
|
||||
// config
|
||||
metricsConfig *metrics.MetricsConfig
|
||||
metricsConfig metrics.MetricsConfigManager
|
||||
}
|
||||
|
||||
// TODO: this is a very strange controller, it only processes events, this should be changed to a real controller
|
||||
// but this is difficult as we currently can't remove existing metrics. To be reviewed when we implement a more
|
||||
// solid metrics system.
|
||||
func NewController(metricsConfig *metrics.MetricsConfig, cpolInformer kyvernov1informers.ClusterPolicyInformer, polInformer kyvernov1informers.PolicyInformer) {
|
||||
func NewController(metricsConfig metrics.MetricsConfigManager, cpolInformer kyvernov1informers.ClusterPolicyInformer, polInformer kyvernov1informers.PolicyInformer) {
|
||||
c := controller{
|
||||
metricsConfig: metricsConfig,
|
||||
}
|
||||
|
|
|
@ -7,7 +7,7 @@ import (
|
|||
|
||||
func NewFakeMetricsConfig() *MetricsConfig {
|
||||
mc := &MetricsConfig{
|
||||
Config: config.NewDefaultMetricsConfiguration(),
|
||||
config: config.NewDefaultMetricsConfiguration(),
|
||||
Log: klog.NewKlogr(),
|
||||
}
|
||||
_ = mc.initializeMetrics()
|
||||
|
|
|
@ -20,14 +20,14 @@ func InitMetrics(
|
|||
transportCreds string,
|
||||
kubeClient kubernetes.Interface,
|
||||
log logr.Logger,
|
||||
) (*MetricsConfig, *http.ServeMux, *controller.Controller, error) {
|
||||
) (MetricsConfigManager, *http.ServeMux, *controller.Controller, error) {
|
||||
var err error
|
||||
var metricsServerMux *http.ServeMux
|
||||
var pusher *controller.Controller
|
||||
|
||||
metricsConfig := MetricsConfig{
|
||||
Log: log,
|
||||
Config: metricsConfiguration,
|
||||
config: metricsConfiguration,
|
||||
}
|
||||
|
||||
err = metricsConfig.initializeMetrics()
|
||||
|
|
|
@ -40,11 +40,12 @@ type MetricsConfig struct {
|
|||
clientQueriesMetric syncint64.Counter
|
||||
|
||||
// config
|
||||
Config kconfig.MetricsConfiguration
|
||||
config kconfig.MetricsConfiguration
|
||||
Log logr.Logger
|
||||
}
|
||||
|
||||
type MetricsConfigManager interface {
|
||||
Config() kconfig.MetricsConfiguration
|
||||
RecordPolicyResults(ctx context.Context, policyValidationMode PolicyValidationMode, policyType PolicyType, policyBackgroundMode PolicyBackgroundMode, policyNamespace string, policyName string, resourceKind string, resourceNamespace string, resourceRequestOperation ResourceRequestOperation, ruleName string, ruleResult RuleResult, ruleType RuleType, ruleExecutionCause RuleExecutionCause)
|
||||
RecordPolicyChanges(ctx context.Context, policyValidationMode PolicyValidationMode, policyType PolicyType, policyBackgroundMode PolicyBackgroundMode, policyNamespace string, policyName string, policyChangeType string)
|
||||
RecordPolicyRuleInfo(ctx context.Context, policyValidationMode PolicyValidationMode, policyType PolicyType, policyBackgroundMode PolicyBackgroundMode, policyNamespace string, policyName string, ruleName string, ruleType RuleType, status string, metricValue float64)
|
||||
|
@ -52,6 +53,10 @@ type MetricsConfigManager interface {
|
|||
RecordClientQueries(ctx context.Context, clientQueryOperation ClientQueryOperation, clientType ClientType, resourceKind string, resourceNamespace string)
|
||||
}
|
||||
|
||||
func (m *MetricsConfig) Config() kconfig.MetricsConfiguration {
|
||||
return m.config
|
||||
}
|
||||
|
||||
func (m *MetricsConfig) initializeMetrics() error {
|
||||
var err error
|
||||
meter := global.MeterProvider().Meter(MeterName)
|
||||
|
|
|
@ -9,7 +9,7 @@ import (
|
|||
|
||||
func registerPolicyChangesMetric(
|
||||
ctx context.Context,
|
||||
m *metrics.MetricsConfig,
|
||||
m metrics.MetricsConfigManager,
|
||||
policyValidationMode metrics.PolicyValidationMode,
|
||||
policyType metrics.PolicyType,
|
||||
policyBackgroundMode metrics.PolicyBackgroundMode,
|
||||
|
@ -19,12 +19,12 @@ func registerPolicyChangesMetric(
|
|||
if policyType == metrics.Cluster {
|
||||
policyNamespace = "-"
|
||||
}
|
||||
if m.Config.CheckNamespace(policyNamespace) {
|
||||
if m.Config().CheckNamespace(policyNamespace) {
|
||||
m.RecordPolicyChanges(ctx, policyValidationMode, policyType, policyBackgroundMode, policyNamespace, policyName, string(policyChangeType))
|
||||
}
|
||||
}
|
||||
|
||||
func RegisterPolicy(ctx context.Context, m *metrics.MetricsConfig, policy kyvernov1.PolicyInterface, policyChangeType PolicyChangeType) error {
|
||||
func RegisterPolicy(ctx context.Context, m metrics.MetricsConfigManager, policy kyvernov1.PolicyInterface, policyChangeType PolicyChangeType) error {
|
||||
name, namespace, policyType, backgroundMode, validationMode, err := metrics.GetPolicyInfos(policy)
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
|
@ -10,7 +10,7 @@ import (
|
|||
|
||||
func registerPolicyExecutionDurationMetric(
|
||||
ctx context.Context,
|
||||
m *metrics.MetricsConfig,
|
||||
m metrics.MetricsConfigManager,
|
||||
policyValidationMode metrics.PolicyValidationMode,
|
||||
policyType metrics.PolicyType,
|
||||
policyBackgroundMode metrics.PolicyBackgroundMode,
|
||||
|
@ -25,14 +25,14 @@ func registerPolicyExecutionDurationMetric(
|
|||
if policyType == metrics.Cluster {
|
||||
policyNamespace = "-"
|
||||
}
|
||||
if m.Config.CheckNamespace(policyNamespace) {
|
||||
if m.Config().CheckNamespace(policyNamespace) {
|
||||
m.RecordPolicyExecutionDuration(ctx, policyValidationMode, policyType, policyBackgroundMode, policyNamespace, policyName, ruleName, ruleResult, ruleType, ruleExecutionCause, ruleExecutionLatency)
|
||||
}
|
||||
}
|
||||
|
||||
// policy - policy related data
|
||||
// engineResponse - resource and rule related data
|
||||
func ProcessEngineResponse(ctx context.Context, m *metrics.MetricsConfig, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse, executionCause metrics.RuleExecutionCause, resourceRequestOperation metrics.ResourceRequestOperation) error {
|
||||
func ProcessEngineResponse(ctx context.Context, m metrics.MetricsConfigManager, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse, executionCause metrics.RuleExecutionCause, resourceRequestOperation metrics.ResourceRequestOperation) error {
|
||||
name, namespace, policyType, backgroundMode, validationMode, err := metrics.GetPolicyInfos(policy)
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
|
@ -10,7 +10,7 @@ import (
|
|||
|
||||
func registerPolicyResultsMetric(
|
||||
ctx context.Context,
|
||||
m *metrics.MetricsConfig,
|
||||
m metrics.MetricsConfigManager,
|
||||
policyValidationMode metrics.PolicyValidationMode,
|
||||
policyType metrics.PolicyType,
|
||||
policyBackgroundMode metrics.PolicyBackgroundMode,
|
||||
|
@ -25,14 +25,14 @@ func registerPolicyResultsMetric(
|
|||
if policyType == metrics.Cluster {
|
||||
policyNamespace = "-"
|
||||
}
|
||||
if m.Config.CheckNamespace(policyNamespace) {
|
||||
if m.Config().CheckNamespace(policyNamespace) {
|
||||
m.RecordPolicyResults(ctx, policyValidationMode, policyType, policyBackgroundMode, policyNamespace, policyName, resourceKind, resourceNamespace, resourceRequestOperation, ruleName, ruleResult, ruleType, ruleExecutionCause)
|
||||
}
|
||||
}
|
||||
|
||||
// policy - policy related data
|
||||
// engineResponse - resource and rule related data
|
||||
func ProcessEngineResponse(ctx context.Context, m *metrics.MetricsConfig, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse, executionCause metrics.RuleExecutionCause, resourceRequestOperation metrics.ResourceRequestOperation) error {
|
||||
func ProcessEngineResponse(ctx context.Context, m metrics.MetricsConfigManager, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse, executionCause metrics.RuleExecutionCause, resourceRequestOperation metrics.ResourceRequestOperation) error {
|
||||
name, namespace, policyType, backgroundMode, validationMode, err := metrics.GetPolicyInfos(policy)
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
|
@ -11,7 +11,7 @@ import (
|
|||
|
||||
func registerPolicyRuleInfoMetric(
|
||||
ctx context.Context,
|
||||
m *metrics.MetricsConfig,
|
||||
m metrics.MetricsConfigManager,
|
||||
policyValidationMode metrics.PolicyValidationMode,
|
||||
policyType metrics.PolicyType,
|
||||
policyBackgroundMode metrics.PolicyBackgroundMode,
|
||||
|
@ -29,7 +29,7 @@ func registerPolicyRuleInfoMetric(
|
|||
default:
|
||||
return fmt.Errorf("unknown metric change type found: %s", metricChangeType)
|
||||
}
|
||||
if m.Config.CheckNamespace(policyNamespace) {
|
||||
if m.Config().CheckNamespace(policyNamespace) {
|
||||
if policyType == metrics.Cluster {
|
||||
policyNamespace = "-"
|
||||
}
|
||||
|
@ -42,7 +42,7 @@ func registerPolicyRuleInfoMetric(
|
|||
return nil
|
||||
}
|
||||
|
||||
func AddPolicy(ctx context.Context, m *metrics.MetricsConfig, policy kyvernov1.PolicyInterface) error {
|
||||
func AddPolicy(ctx context.Context, m metrics.MetricsConfigManager, policy kyvernov1.PolicyInterface) error {
|
||||
name, namespace, policyType, backgroundMode, validationMode, err := metrics.GetPolicyInfos(policy)
|
||||
if err != nil {
|
||||
return err
|
||||
|
@ -58,7 +58,7 @@ func AddPolicy(ctx context.Context, m *metrics.MetricsConfig, policy kyvernov1.P
|
|||
return nil
|
||||
}
|
||||
|
||||
func RemovePolicy(ctx context.Context, m *metrics.MetricsConfig, policy kyvernov1.PolicyInterface) error {
|
||||
func RemovePolicy(ctx context.Context, m metrics.MetricsConfigManager, policy kyvernov1.PolicyInterface) error {
|
||||
name, namespace, policyType, backgroundMode, validationMode, err := metrics.GetPolicyInfos(policy)
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
|
@ -86,7 +86,7 @@ type PolicyController struct {
|
|||
|
||||
log logr.Logger
|
||||
|
||||
metricsConfig *metrics.MetricsConfig
|
||||
metricsConfig metrics.MetricsConfigManager
|
||||
}
|
||||
|
||||
// NewPolicyController create a new PolicyController
|
||||
|
@ -101,7 +101,7 @@ func NewPolicyController(
|
|||
namespaces corev1informers.NamespaceInformer,
|
||||
log logr.Logger,
|
||||
reconcilePeriod time.Duration,
|
||||
metricsConfig *metrics.MetricsConfig,
|
||||
metricsConfig metrics.MetricsConfigManager,
|
||||
) (*PolicyController, error) {
|
||||
// Event broad caster
|
||||
eventBroadcaster := record.NewBroadcaster()
|
||||
|
|
|
@ -33,7 +33,7 @@ type GenerationHandler interface {
|
|||
// TODO: why do we need to expose that ?
|
||||
HandleUpdatesForGenerateRules(*admissionv1.AdmissionRequest, []kyvernov1.PolicyInterface)
|
||||
Handle(
|
||||
*metrics.MetricsConfig,
|
||||
metrics.MetricsConfigManager,
|
||||
*admissionv1.AdmissionRequest,
|
||||
[]kyvernov1.PolicyInterface,
|
||||
*engine.PolicyContext,
|
||||
|
@ -76,7 +76,7 @@ type generationHandler struct {
|
|||
|
||||
// Handle handles admission-requests for policies with generate rules
|
||||
func (h *generationHandler) Handle(
|
||||
metricsConfig *metrics.MetricsConfig,
|
||||
metricsConfig metrics.MetricsConfigManager,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
policies []kyvernov1.PolicyInterface,
|
||||
policyContext *engine.PolicyContext,
|
||||
|
|
|
@ -40,7 +40,7 @@ type handlers struct {
|
|||
|
||||
// config
|
||||
configuration config.Configuration
|
||||
metricsConfig *metrics.MetricsConfig
|
||||
metricsConfig metrics.MetricsConfigManager
|
||||
|
||||
// cache
|
||||
pCache policycache.Cache
|
||||
|
@ -64,7 +64,7 @@ func NewHandlers(
|
|||
client dclient.Interface,
|
||||
kyvernoClient versioned.Interface,
|
||||
configuration config.Configuration,
|
||||
metricsConfig *metrics.MetricsConfig,
|
||||
metricsConfig metrics.MetricsConfigManager,
|
||||
pCache policycache.Cache,
|
||||
nsLister corev1listers.NamespaceLister,
|
||||
rbLister rbacv1listers.RoleBindingLister,
|
||||
|
|
|
@ -24,7 +24,7 @@ import (
|
|||
|
||||
type ImageVerificationHandler interface {
|
||||
Handle(
|
||||
*metrics.MetricsConfig,
|
||||
metrics.MetricsConfigManager,
|
||||
*admissionv1.AdmissionRequest,
|
||||
[]kyvernov1.PolicyInterface,
|
||||
*engine.PolicyContext,
|
||||
|
@ -53,7 +53,7 @@ type imageVerificationHandler struct {
|
|||
}
|
||||
|
||||
func (h *imageVerificationHandler) Handle(
|
||||
metricsConfig *metrics.MetricsConfig,
|
||||
metricsConfig metrics.MetricsConfigManager,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
policies []kyvernov1.PolicyInterface,
|
||||
policyContext *engine.PolicyContext,
|
||||
|
|
|
@ -30,7 +30,7 @@ type MutationHandler interface {
|
|||
// If there are no errors in validating rule we apply generation rules
|
||||
// patchedResource is the (resource + patches) after applying mutation rules
|
||||
HandleMutation(
|
||||
*metrics.MetricsConfig,
|
||||
metrics.MetricsConfigManager,
|
||||
*admissionv1.AdmissionRequest,
|
||||
[]kyvernov1.PolicyInterface,
|
||||
*engine.PolicyContext,
|
||||
|
@ -61,7 +61,7 @@ type mutationHandler struct {
|
|||
}
|
||||
|
||||
func (h *mutationHandler) HandleMutation(
|
||||
metricsConfig *metrics.MetricsConfig,
|
||||
metricsConfig metrics.MetricsConfigManager,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
policies []kyvernov1.PolicyInterface,
|
||||
policyContext *engine.PolicyContext,
|
||||
|
@ -78,7 +78,7 @@ func (h *mutationHandler) HandleMutation(
|
|||
// applyMutations handles mutating webhook admission request
|
||||
// return value: generated patches, triggered policies, engine responses correspdonding to the triggered policies
|
||||
func (v *mutationHandler) applyMutations(
|
||||
metricsConfig *metrics.MetricsConfig,
|
||||
metricsConfig metrics.MetricsConfigManager,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
policies []kyvernov1.PolicyInterface,
|
||||
policyContext *engine.PolicyContext,
|
||||
|
|
|
@ -27,7 +27,7 @@ type ValidationHandler interface {
|
|||
// HandleValidation handles validating webhook admission request
|
||||
// If there are no errors in validating rule we apply generation rules
|
||||
// patchedResource is the (resource + patches) after applying mutation rules
|
||||
HandleValidation(*metrics.MetricsConfig, *admissionv1.AdmissionRequest, []kyvernov1.PolicyInterface, *engine.PolicyContext, map[string]string, time.Time) (bool, string, []string)
|
||||
HandleValidation(metrics.MetricsConfigManager, *admissionv1.AdmissionRequest, []kyvernov1.PolicyInterface, *engine.PolicyContext, map[string]string, time.Time) (bool, string, []string)
|
||||
}
|
||||
|
||||
func NewValidationHandler(
|
||||
|
@ -58,7 +58,7 @@ type validationHandler struct {
|
|||
}
|
||||
|
||||
func (v *validationHandler) HandleValidation(
|
||||
metricsConfig *metrics.MetricsConfig,
|
||||
metricsConfig metrics.MetricsConfigManager,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
policies []kyvernov1.PolicyInterface,
|
||||
policyContext *engine.PolicyContext,
|
||||
|
|
|
@ -67,7 +67,7 @@ func NewServer(
|
|||
policyHandlers PolicyHandlers,
|
||||
resourceHandlers ResourceHandlers,
|
||||
configuration config.Configuration,
|
||||
metricsConfig *metrics.MetricsConfig,
|
||||
metricsConfig metrics.MetricsConfigManager,
|
||||
debugModeOpts DebugModeOptions,
|
||||
tlsProvider TlsProvider,
|
||||
mwcClient controllerutils.DeleteClient[*admissionregistrationv1.MutatingWebhookConfiguration],
|
||||
|
@ -90,7 +90,7 @@ func NewServer(
|
|||
WithProtection(toggle.ProtectManagedResources.Enabled()).
|
||||
WithDump(debugModeOpts.DumpPayload).
|
||||
WithOperationFilter(admissionv1.Create, admissionv1.Update, admissionv1.Connect).
|
||||
WithMetrics(resourceLogger, metricsConfig.Config, metrics.WebhookMutating).
|
||||
WithMetrics(resourceLogger, metricsConfig.Config(), metrics.WebhookMutating).
|
||||
WithAdmission(resourceLogger.WithName("mutate"))
|
||||
},
|
||||
)
|
||||
|
@ -104,7 +104,7 @@ func NewServer(
|
|||
WithFilter(configuration).
|
||||
WithProtection(toggle.ProtectManagedResources.Enabled()).
|
||||
WithDump(debugModeOpts.DumpPayload).
|
||||
WithMetrics(resourceLogger, metricsConfig.Config, metrics.WebhookValidating).
|
||||
WithMetrics(resourceLogger, metricsConfig.Config(), metrics.WebhookValidating).
|
||||
WithAdmission(resourceLogger.WithName("validate"))
|
||||
},
|
||||
)
|
||||
|
@ -113,7 +113,7 @@ func NewServer(
|
|||
config.PolicyMutatingWebhookServicePath,
|
||||
handlers.FromAdmissionFunc("MUTATE", policyHandlers.Mutate).
|
||||
WithDump(debugModeOpts.DumpPayload).
|
||||
WithMetrics(policyLogger, metricsConfig.Config, metrics.WebhookMutating).
|
||||
WithMetrics(policyLogger, metricsConfig.Config(), metrics.WebhookMutating).
|
||||
WithAdmission(policyLogger.WithName("mutate")).
|
||||
ToHandlerFunc(),
|
||||
)
|
||||
|
@ -123,7 +123,7 @@ func NewServer(
|
|||
handlers.FromAdmissionFunc("VALIDATE", policyHandlers.Validate).
|
||||
WithDump(debugModeOpts.DumpPayload).
|
||||
WithSubResourceFilter().
|
||||
WithMetrics(policyLogger, metricsConfig.Config, metrics.WebhookValidating).
|
||||
WithMetrics(policyLogger, metricsConfig.Config(), metrics.WebhookValidating).
|
||||
WithAdmission(policyLogger.WithName("validate")).
|
||||
ToHandlerFunc(),
|
||||
)
|
||||
|
|
|
@ -26,19 +26,19 @@ func registerMetric(logger logr.Logger, m string, requestOperation string, r rep
|
|||
|
||||
// POLICY RESULTS
|
||||
|
||||
func RegisterPolicyResultsMetricMutation(ctx context.Context, logger logr.Logger, metricsConfig *metrics.MetricsConfig, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
|
||||
func RegisterPolicyResultsMetricMutation(ctx context.Context, logger logr.Logger, metricsConfig metrics.MetricsConfigManager, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
|
||||
registerMetric(logger, "kyverno_policy_results_total", requestOperation, func(op metrics.ResourceRequestOperation) error {
|
||||
return policyResults.ProcessEngineResponse(ctx, metricsConfig, policy, engineResponse, metrics.AdmissionRequest, op)
|
||||
})
|
||||
}
|
||||
|
||||
func RegisterPolicyResultsMetricValidation(ctx context.Context, logger logr.Logger, metricsConfig *metrics.MetricsConfig, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
|
||||
func RegisterPolicyResultsMetricValidation(ctx context.Context, logger logr.Logger, metricsConfig metrics.MetricsConfigManager, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
|
||||
registerMetric(logger, "kyverno_policy_results_total", requestOperation, func(op metrics.ResourceRequestOperation) error {
|
||||
return policyResults.ProcessEngineResponse(ctx, metricsConfig, policy, engineResponse, metrics.AdmissionRequest, op)
|
||||
})
|
||||
}
|
||||
|
||||
func RegisterPolicyResultsMetricGeneration(ctx context.Context, logger logr.Logger, metricsConfig *metrics.MetricsConfig, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
|
||||
func RegisterPolicyResultsMetricGeneration(ctx context.Context, logger logr.Logger, metricsConfig metrics.MetricsConfigManager, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
|
||||
registerMetric(logger, "kyverno_policy_results_total", requestOperation, func(op metrics.ResourceRequestOperation) error {
|
||||
return policyResults.ProcessEngineResponse(ctx, metricsConfig, policy, engineResponse, metrics.AdmissionRequest, op)
|
||||
})
|
||||
|
@ -46,19 +46,19 @@ func RegisterPolicyResultsMetricGeneration(ctx context.Context, logger logr.Logg
|
|||
|
||||
// POLICY EXECUTION
|
||||
|
||||
func RegisterPolicyExecutionDurationMetricMutate(ctx context.Context, logger logr.Logger, metricsConfig *metrics.MetricsConfig, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
|
||||
func RegisterPolicyExecutionDurationMetricMutate(ctx context.Context, logger logr.Logger, metricsConfig metrics.MetricsConfigManager, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
|
||||
registerMetric(logger, "kyverno_policy_execution_duration_seconds", requestOperation, func(op metrics.ResourceRequestOperation) error {
|
||||
return policyExecutionDuration.ProcessEngineResponse(ctx, metricsConfig, policy, engineResponse, metrics.AdmissionRequest, op)
|
||||
})
|
||||
}
|
||||
|
||||
func RegisterPolicyExecutionDurationMetricValidate(ctx context.Context, logger logr.Logger, metricsConfig *metrics.MetricsConfig, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
|
||||
func RegisterPolicyExecutionDurationMetricValidate(ctx context.Context, logger logr.Logger, metricsConfig metrics.MetricsConfigManager, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
|
||||
registerMetric(logger, "kyverno_policy_execution_duration_seconds", requestOperation, func(op metrics.ResourceRequestOperation) error {
|
||||
return policyExecutionDuration.ProcessEngineResponse(ctx, metricsConfig, policy, engineResponse, metrics.AdmissionRequest, op)
|
||||
})
|
||||
}
|
||||
|
||||
func RegisterPolicyExecutionDurationMetricGenerate(ctx context.Context, logger logr.Logger, metricsConfig *metrics.MetricsConfig, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
|
||||
func RegisterPolicyExecutionDurationMetricGenerate(ctx context.Context, logger logr.Logger, metricsConfig metrics.MetricsConfigManager, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {
|
||||
registerMetric(logger, "kyverno_policy_execution_duration_seconds", requestOperation, func(op metrics.ResourceRequestOperation) error {
|
||||
return policyExecutionDuration.ProcessEngineResponse(ctx, metricsConfig, policy, engineResponse, metrics.AdmissionRequest, op)
|
||||
})
|
||||
|
|
Loading…
Add table
Reference in a new issue