chore: remove config flags (#3786)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2025-04-15 16:56:56 +00:00 · 2022-05-03 19:52:10 +02:00 · 2022-05-03 19:52:10 +02:00 · 2b6549fd5b
commit 2b6549fd5b
parent 32789d1c0d
6 changed files with 4 additions and 35 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,7 @@

 - `status.ready` of the policy is deprecated in favor of `policy.IsReady()`. The implementation was changed to use `status.conditions` that offer more flexibility. The `status.ready` will be kept for a couple of releases until we remove it in the future.
 - Deprecated flags have been removed.
+- Flags that were overlapping with config map based configuration were removed (`filterK8sResources`, `excludeGroupRole`, `excludeUsername`). They can now be configured using the config map only.

 ## v1.6.0-rc1
 ### Note
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@ -50,11 +50,8 @@ const resyncPeriod = 15 * time.Minute
 var (
 	//TODO: this has been added to backward support command line arguments
 	// will be removed in future and the configuration will be set only via configmaps
-	filterK8sResources           string
 	kubeconfig                   string
 	serverIP                     string
-	excludeGroupRole             string
-	excludeUsername              string
 	profilePort                  string
 	metricsPort                  string
 	webhookTimeout               int
@ -74,9 +71,6 @@ var (
 func main() {
 	klog.InitFlags(nil)
 	log.SetLogger(klogr.New().WithCallDepth(1))
-	flag.StringVar(&filterK8sResources, "filterK8sResources", "", "Resource in format [kind,namespace,name] where policy is not evaluated by the admission webhook. For example, --filterK8sResources \"[Deployment, kyverno, kyverno],[Events, *, *]\"")
-	flag.StringVar(&excludeGroupRole, "excludeGroupRole", "", "")
-	flag.StringVar(&excludeUsername, "excludeUsername", "", "")
 	flag.IntVar(&webhookTimeout, "webhookTimeout", int(webhookconfig.DefaultWebhookTimeout), "Timeout for webhook configurations.")
 	flag.IntVar(&genWorkers, "genWorkers", 10, "Workers for generate controller")
 	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
@ -233,9 +227,6 @@ func main() {
 	configData := config.NewConfigData(
 		kubeClient,
 		kubeKyvernoInformer.Core().V1().ConfigMaps(),
-		filterK8sResources,
-		excludeGroupRole,
-		excludeUsername,
 		prgen.ReconcileCh,
 		webhookCfg.UpdateWebhookChan,
 	)
--- a/config/install.yaml
+++ b/config/install.yaml
@ -12266,7 +12266,6 @@ spec:
            weight: 1
      containers:
      - args:
-        - --filterK8sResources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]
        - -v=2
        - --autogenInternals=false
        env:
--- a/config/manifest/deployment.yaml
+++ b/config/manifest/deployment.yaml
@ -70,7 +70,6 @@ spec:
          image: ghcr.io/kyverno/kyverno:latest
          imagePullPolicy: Always
          args:
-          - "--filterK8sResources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]"
          # customize webhook timeout
          #- "--webhookTimeout=4"
          # enable profiling
--- a/config/release/install.yaml
+++ b/config/release/install.yaml
@ -11317,7 +11317,6 @@ spec:
            weight: 1
      containers:
      - args:
-        - --filterK8sResources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]
        - -v=2
        - --autogenInternals=false
        env:
--- a/pkg/config/dynamicconfig.go
+++ b/pkg/config/dynamicconfig.go
@ -127,44 +127,24 @@ type Interface interface {
 }

 // NewConfigData ...
-func NewConfigData(rclient kubernetes.Interface, cmInformer informers.ConfigMapInformer, filterK8sResources, excludeGroupRole, excludeUsername string, reconcilePolicyReport, updateWebhookConfigurations chan<- bool) *ConfigData {
+func NewConfigData(rclient kubernetes.Interface, cmInformer informers.ConfigMapInformer, reconcilePolicyReport, updateWebhookConfigurations chan<- bool) *ConfigData {
 	// environment var is read at start only
 	if cmNameEnv == "" {
 		logger.Info("ConfigMap name not defined in env:INIT_CONFIG: loading no default configuration")
 	}
-
 	cd := ConfigData{
 		client:                      rclient,
 		cmName:                      os.Getenv(cmNameEnv),
 		reconcilePolicyReport:       reconcilePolicyReport,
 		updateWebhookConfigurations: updateWebhookConfigurations,
+		restrictDevelopmentUsername: []string{"minikube-user", "kubernetes-admin"},
 	}
-
-	cd.restrictDevelopmentUsername = []string{"minikube-user", "kubernetes-admin"}
-
-	if filterK8sResources != "" {
-		logger.Info("init configuration from commandline arguments for filterK8sResources")
-		cd.initFilters(filterK8sResources)
-	}
-
-	if excludeGroupRole != "" {
-		logger.Info("init configuration from commandline arguments for excludeGroupRole")
-		cd.initRbac("excludeRoles", excludeGroupRole)
-	} else {
-		cd.initRbac("excludeRoles", "")
-	}
-
-	if excludeUsername != "" {
-		logger.Info("init configuration from commandline arguments for excludeUsername")
-		cd.initRbac("excludeUsername", excludeUsername)
-	}
-
+	cd.initRbac("excludeRoles", "")
 	cmInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
 		AddFunc:    cd.addCM,
 		UpdateFunc: cd.updateCM,
 		DeleteFunc: cd.deleteCM,
 	})
-
 	return &cd
 }