diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index 857039b35a..7087d41832 100644 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -252,7 +252,7 @@ func main() { go grcc.Run(1, stopCh) go pvgen.Run(1, stopCh) go statusSync.Run(1, stopCh) - go openApiSync.Run(1, stopCh) + openApiSync.Run(1, stopCh) // verifys if the admission control is enabled and active // resync: 60 seconds diff --git a/pkg/openapi/crdSync.go b/pkg/openapi/crdSync.go index 56a7580025..908d2115f1 100644 --- a/pkg/openapi/crdSync.go +++ b/pkg/openapi/crdSync.go @@ -55,19 +55,18 @@ func (c *crdSync) Run(workers int, stopCh <-chan struct{}) { for i := 0; i < workers; i++ { go wait.Until(c.sync, time.Second*10, stopCh) } - <-stopCh } func (c *crdSync) sync() { - openApiGlobalState.mutex.Lock() - defer openApiGlobalState.mutex.Unlock() - crds, err := c.client.ListResource("CustomResourceDefinition", "", nil) if err != nil { glog.V(4).Infof("could not fetch crd's from server: %v", err) return } + openApiGlobalState.mutex.Lock() + defer openApiGlobalState.mutex.Unlock() + deleteCRDFromPreviousSync() for _, crd := range crds.Items { diff --git a/pkg/openapi/validation.go b/pkg/openapi/validation.go index 69f9eff330..5f7b2ac1bd 100644 --- a/pkg/openapi/validation.go +++ b/pkg/openapi/validation.go @@ -71,6 +71,39 @@ func ValidatePolicyFields(policyRaw []byte) error { return validatePolicyMutation(policy) } +func ValidateResource(patchedResource unstructured.Unstructured, kind string) error { + openApiGlobalState.mutex.RLock() + defer openApiGlobalState.mutex.RUnlock() + var err error + + kind = openApiGlobalState.kindToDefinitionName[kind] + schema := openApiGlobalState.models.LookupModel(kind) + if schema == nil { + schema, err = getSchemaFromDefinitions(kind) + if err != nil || schema == nil { + return fmt.Errorf("pre-validation: couldn't find model %s", kind) + } + delete(patchedResource.Object, "kind") + } + + if errs := validation.ValidateModel(patchedResource.UnstructuredContent(), schema, kind); len(errs) > 0 { + var errorMessages []string + for i := range errs { + errorMessages = append(errorMessages, errs[i].Error()) + } + + return fmt.Errorf(strings.Join(errorMessages, "\n\n")) + } + + return nil +} + +func GetDefinitionNameFromKind(kind string) string { + openApiGlobalState.mutex.RLock() + defer openApiGlobalState.mutex.RUnlock() + return openApiGlobalState.kindToDefinitionName[kind] +} + func validatePolicyMutation(policy v1.ClusterPolicy) error { var kindToRules = make(map[string][]v1.Rule) for _, rule := range policy.Spec.Rules { @@ -112,39 +145,6 @@ func validatePolicyMutation(policy v1.ClusterPolicy) error { return nil } -func ValidateResource(patchedResource unstructured.Unstructured, kind string) error { - openApiGlobalState.mutex.RLock() - defer openApiGlobalState.mutex.RUnlock() - var err error - - kind = openApiGlobalState.kindToDefinitionName[kind] - schema := openApiGlobalState.models.LookupModel(kind) - if schema == nil { - schema, err = getSchemaFromDefinitions(kind) - if err != nil || schema == nil { - return fmt.Errorf("pre-validation: couldn't find model %s", kind) - } - delete(patchedResource.Object, "kind") - } - - if errs := validation.ValidateModel(patchedResource.UnstructuredContent(), schema, kind); len(errs) > 0 { - var errorMessages []string - for i := range errs { - errorMessages = append(errorMessages, errs[i].Error()) - } - - return fmt.Errorf(strings.Join(errorMessages, "\n\n")) - } - - return nil -} - -func GetDefinitionNameFromKind(kind string) string { - openApiGlobalState.mutex.RLock() - defer openApiGlobalState.mutex.RUnlock() - return openApiGlobalState.kindToDefinitionName[kind] -} - func useOpenApiDocument(customDoc *openapi_v2.Document) error { openApiGlobalState.mutex.Lock() defer openApiGlobalState.mutex.Unlock()