754 crds can be immidiatly validate on startup - changed locks so as to not timeout requests

cmd/kyverno/main.go

@@ -252,7 +252,7 @@ func main() {
 	go grcc.Run(1, stopCh)
 	go pvgen.Run(1, stopCh)
 	go statusSync.Run(1, stopCh)
-	go openApiSync.Run(1, stopCh)
+	openApiSync.Run(1, stopCh)
 
 	// verifys if the admission control is enabled and active
 	// resync: 60 seconds

pkg/openapi/crdSync.go

@@ -55,19 +55,18 @@ func (c *crdSync) Run(workers int, stopCh <-chan struct{}) {
 	for i := 0; i < workers; i++ {
 		go wait.Until(c.sync, time.Second*10, stopCh)
 	}
-	<-stopCh
 }
 
 func (c *crdSync) sync() {
-	openApiGlobalState.mutex.Lock()
-	defer openApiGlobalState.mutex.Unlock()
-
 	crds, err := c.client.ListResource("CustomResourceDefinition", "", nil)
 	if err != nil {
 		glog.V(4).Infof("could not fetch crd's from server: %v", err)
 		return
 	}
 
+	openApiGlobalState.mutex.Lock()
+	defer openApiGlobalState.mutex.Unlock()
+
 	deleteCRDFromPreviousSync()
 
 	for _, crd := range crds.Items {

pkg/openapi/validation.go

@@ -71,6 +71,39 @@ func ValidatePolicyFields(policyRaw []byte) error {
 	return validatePolicyMutation(policy)
 }
 
+func ValidateResource(patchedResource unstructured.Unstructured, kind string) error {
+	openApiGlobalState.mutex.RLock()
+	defer openApiGlobalState.mutex.RUnlock()
+	var err error
+
+	kind = openApiGlobalState.kindToDefinitionName[kind]
+	schema := openApiGlobalState.models.LookupModel(kind)
+	if schema == nil {
+		schema, err = getSchemaFromDefinitions(kind)
+		if err != nil || schema == nil {
+			return fmt.Errorf("pre-validation: couldn't find model %s", kind)
+		}
+		delete(patchedResource.Object, "kind")
+	}
+
+	if errs := validation.ValidateModel(patchedResource.UnstructuredContent(), schema, kind); len(errs) > 0 {
+		var errorMessages []string
+		for i := range errs {
+			errorMessages = append(errorMessages, errs[i].Error())
+		}
+
+		return fmt.Errorf(strings.Join(errorMessages, "\n\n"))
+	}
+
+	return nil
+}
+
+func GetDefinitionNameFromKind(kind string) string {
+	openApiGlobalState.mutex.RLock()
+	defer openApiGlobalState.mutex.RUnlock()
+	return openApiGlobalState.kindToDefinitionName[kind]
+}
+
 func validatePolicyMutation(policy v1.ClusterPolicy) error {
 	var kindToRules = make(map[string][]v1.Rule)
 	for _, rule := range policy.Spec.Rules {
@@ -112,39 +145,6 @@ func validatePolicyMutation(policy v1.ClusterPolicy) error {
 	return nil
 }
 
-func ValidateResource(patchedResource unstructured.Unstructured, kind string) error {
-	openApiGlobalState.mutex.RLock()
-	defer openApiGlobalState.mutex.RUnlock()
-	var err error
-
-	kind = openApiGlobalState.kindToDefinitionName[kind]
-	schema := openApiGlobalState.models.LookupModel(kind)
-	if schema == nil {
-		schema, err = getSchemaFromDefinitions(kind)
-		if err != nil || schema == nil {
-			return fmt.Errorf("pre-validation: couldn't find model %s", kind)
-		}
-		delete(patchedResource.Object, "kind")
-	}
-
-	if errs := validation.ValidateModel(patchedResource.UnstructuredContent(), schema, kind); len(errs) > 0 {
-		var errorMessages []string
-		for i := range errs {
-			errorMessages = append(errorMessages, errs[i].Error())
-		}
-
-		return fmt.Errorf(strings.Join(errorMessages, "\n\n"))
-	}
-
-	return nil
-}
-
-func GetDefinitionNameFromKind(kind string) string {
-	openApiGlobalState.mutex.RLock()
-	defer openApiGlobalState.mutex.RUnlock()
-	return openApiGlobalState.kindToDefinitionName[kind]
-}
-
 func useOpenApiDocument(customDoc *openapi_v2.Document) error {
 	openApiGlobalState.mutex.Lock()
 	defer openApiGlobalState.mutex.Unlock()