1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-15 12:17:56 +00:00

feat: consider maxAPICallResponseLength (#9620)

* chore: move global context package out of engine

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* feat: consider maxAPICallResponseLength

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2024-02-02 16:35:57 +01:00 committed by GitHub
parent b59353c657
commit 2b712107d2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 47 additions and 18 deletions

View file

@ -335,6 +335,7 @@ The chart values are organised per component.
| features.forceFailurePolicyIgnore.enabled | bool | `false` | Enables the feature | | features.forceFailurePolicyIgnore.enabled | bool | `false` | Enables the feature |
| features.generateValidatingAdmissionPolicy.enabled | bool | `false` | Enables the feature | | features.generateValidatingAdmissionPolicy.enabled | bool | `false` | Enables the feature |
| features.globalContext.enabled | bool | `true` | Enables the feature | | features.globalContext.enabled | bool | `true` | Enables the feature |
| features.globalContext.maxApiCallResponseLength | int | `2000000` | Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended) |
| features.logging.format | string | `"text"` | Logging format | | features.logging.format | string | `"text"` | Logging format |
| features.logging.verbosity | int | `2` | Logging verbosity | | features.logging.verbosity | int | `2` | Logging verbosity |
| features.omitEvents.eventTypes | list | `["PolicyApplied","PolicySkipped"]` | Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`) | | features.omitEvents.eventTypes | list | `["PolicyApplied","PolicySkipped"]` | Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`) |

View file

@ -48,6 +48,7 @@
{{- end -}} {{- end -}}
{{- with .globalContext -}} {{- with .globalContext -}}
{{- $flags = append $flags (print "--enableGlobalContext=" .enabled) -}} {{- $flags = append $flags (print "--enableGlobalContext=" .enabled) -}}
{{- $flags = append $flags (print "--maxAPICallResponseLength=" (int .maxApiCallResponseLength)) -}}
{{- end -}} {{- end -}}
{{- with .logging -}} {{- with .logging -}}
{{- $flags = append $flags (print "--loggingFormat=" .format) -}} {{- $flags = append $flags (print "--loggingFormat=" .format) -}}

View file

@ -632,6 +632,8 @@ features:
globalContext: globalContext:
# -- Enables the feature # -- Enables the feature
enabled: true enabled: true
# -- Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended)
maxApiCallResponseLength: 2000000
logging: logging:
# -- Logging format # -- Logging format
format: text format: text

View file

@ -161,6 +161,7 @@ func main() {
kyvernoInformer.Kyverno().V2alpha1().GlobalContextEntries(), kyvernoInformer.Kyverno().V2alpha1().GlobalContextEntries(),
setup.KyvernoDynamicClient, setup.KyvernoDynamicClient,
store.New(), store.New(),
maxAPICallResponseLength,
), ),
globalcontextcontroller.Workers, globalcontextcontroller.Workers,
) // this controller only subscribe to events, nothing is returned... ) // this controller only subscribe to events, nothing is returned...

View file

@ -70,13 +70,14 @@ func sanityChecks(apiserverClient apiserver.Interface) error {
func main() { func main() {
var ( var (
dumpPayload bool dumpPayload bool
serverIP string serverIP string
servicePort int servicePort int
webhookServerPort int webhookServerPort int
maxQueuedEvents int maxQueuedEvents int
interval time.Duration interval time.Duration
renewBefore time.Duration renewBefore time.Duration
maxAPICallResponseLength int64
) )
flagset := flag.NewFlagSet("cleanup-controller", flag.ExitOnError) flagset := flag.NewFlagSet("cleanup-controller", flag.ExitOnError)
flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.") flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.")
@ -89,6 +90,7 @@ func main() {
flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.") flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.")
flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.") flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.")
flagset.DurationVar(&renewBefore, "renewBefore", 15*24*time.Hour, "The certificate renewal time before expiration") flagset.DurationVar(&renewBefore, "renewBefore", 15*24*time.Hour, "The certificate renewal time before expiration")
flagset.Int64Var(&maxAPICallResponseLength, "maxAPICallResponseLength", 2*1000*1000, "Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended).")
// config // config
appConfig := internal.NewConfiguration( appConfig := internal.NewConfiguration(
internal.WithProfiling(), internal.WithProfiling(),
@ -165,6 +167,7 @@ func main() {
kyvernoInformer.Kyverno().V2alpha1().GlobalContextEntries(), kyvernoInformer.Kyverno().V2alpha1().GlobalContextEntries(),
setup.KyvernoDynamicClient, setup.KyvernoDynamicClient,
store.New(), store.New(),
maxAPICallResponseLength,
), ),
globalcontextcontroller.Workers, globalcontextcontroller.Workers,
) )

View file

@ -331,6 +331,7 @@ func main() {
kyvernoInformer.Kyverno().V2alpha1().GlobalContextEntries(), kyvernoInformer.Kyverno().V2alpha1().GlobalContextEntries(),
setup.KyvernoDynamicClient, setup.KyvernoDynamicClient,
store.New(), store.New(),
maxAPICallResponseLength,
), ),
globalcontextcontroller.Workers, globalcontextcontroller.Workers,
) )

View file

@ -291,6 +291,7 @@ func main() {
kyvernoInformer.Kyverno().V2alpha1().GlobalContextEntries(), kyvernoInformer.Kyverno().V2alpha1().GlobalContextEntries(),
setup.KyvernoDynamicClient, setup.KyvernoDynamicClient,
store.New(), store.New(),
maxAPICallResponseLength,
), ),
globalcontextcontroller.Workers, globalcontextcontroller.Workers,
) )

View file

@ -51837,6 +51837,7 @@ spec:
- --forceFailurePolicyIgnore=false - --forceFailurePolicyIgnore=false
- --generateValidatingAdmissionPolicy=false - --generateValidatingAdmissionPolicy=false
- --enableGlobalContext=true - --enableGlobalContext=true
- --maxAPICallResponseLength=2000000
- --loggingFormat=text - --loggingFormat=text
- --v=2 - --v=2
- --omitEvents=PolicyApplied,PolicySkipped - --omitEvents=PolicyApplied,PolicySkipped
@ -51989,6 +51990,7 @@ spec:
- --enableConfigMapCaching=true - --enableConfigMapCaching=true
- --enableDeferredLoading=true - --enableDeferredLoading=true
- --enableGlobalContext=true - --enableGlobalContext=true
- --maxAPICallResponseLength=2000000
- --loggingFormat=text - --loggingFormat=text
- --v=2 - --v=2
- --omitEvents=PolicyApplied,PolicySkipped - --omitEvents=PolicyApplied,PolicySkipped
@ -52097,6 +52099,7 @@ spec:
- --enableDeferredLoading=true - --enableDeferredLoading=true
- --dumpPayload=false - --dumpPayload=false
- --enableGlobalContext=true - --enableGlobalContext=true
- --maxAPICallResponseLength=2000000
- --loggingFormat=text - --loggingFormat=text
- --v=2 - --v=2
- --protectManagedResources=false - --protectManagedResources=false
@ -52238,6 +52241,7 @@ spec:
- --enableConfigMapCaching=true - --enableConfigMapCaching=true
- --enableDeferredLoading=true - --enableDeferredLoading=true
- --enableGlobalContext=true - --enableGlobalContext=true
- --maxAPICallResponseLength=2000000
- --loggingFormat=text - --loggingFormat=text
- --v=2 - --v=2
- --omitEvents=PolicyApplied,PolicySkipped - --omitEvents=PolicyApplied,PolicySkipped

View file

@ -35,14 +35,16 @@ type controller struct {
queue workqueue.RateLimitingInterface queue workqueue.RateLimitingInterface
// state // state
dclient dclient.Interface dclient dclient.Interface
store store.Store store store.Store
maxResponseLength int64
} }
func NewController( func NewController(
gceInformer kyvernov2alpha1informers.GlobalContextEntryInformer, gceInformer kyvernov2alpha1informers.GlobalContextEntryInformer,
dclient dclient.Interface, dclient dclient.Interface,
storage store.Store, storage store.Store,
maxResponseLength int64,
) controllers.Controller { ) controllers.Controller {
queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), ControllerName) queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), ControllerName)
_, _, err := controllerutils.AddDefaultEventHandlers(logger, gceInformer.Informer(), queue) _, _, err := controllerutils.AddDefaultEventHandlers(logger, gceInformer.Informer(), queue)
@ -50,10 +52,11 @@ func NewController(
logger.Error(err, "failed to register event handlers") logger.Error(err, "failed to register event handlers")
} }
return &controller{ return &controller{
gceLister: gceInformer.Lister(), gceLister: gceInformer.Lister(),
queue: queue, queue: queue,
dclient: dclient, dclient: dclient,
store: storage, store: storage,
maxResponseLength: maxResponseLength,
} }
} }
@ -98,5 +101,12 @@ func (c *controller) makeStoreEntry(ctx context.Context, gce *kyvernov2alpha1.Gl
} }
return k8sresource.New(ctx, c.dclient.GetDynamicInterface(), gvr, gce.Spec.KubernetesResource.Namespace) return k8sresource.New(ctx, c.dclient.GetDynamicInterface(), gvr, gce.Spec.KubernetesResource.Namespace)
} }
return externalapi.New(ctx, logger, adapters.Client(c.dclient), gce.Spec.APICall.APICall, gce.Spec.APICall.RefreshInterval.Duration) return externalapi.New(
ctx,
logger,
adapters.Client(c.dclient),
gce.Spec.APICall.APICall,
gce.Spec.APICall.RefreshInterval.Duration,
c.maxResponseLength,
)
} }

View file

@ -17,7 +17,14 @@ type entry struct {
stop func() stop func()
} }
func New(ctx context.Context, logger logr.Logger, client apicall.ClientInterface, call kyvernov1.APICall, period time.Duration) (*entry, error) { func New(
ctx context.Context,
logger logr.Logger,
client apicall.ClientInterface,
call kyvernov1.APICall,
period time.Duration,
maxResponseLength int64,
) (*entry, error) {
var group wait.Group var group wait.Group
ctx, cancel := context.WithCancel(ctx) ctx, cancel := context.WithCancel(ctx)
stop := func() { stop := func() {
@ -31,11 +38,9 @@ func New(ctx context.Context, logger logr.Logger, client apicall.ClientInterface
} }
group.StartWithContext(ctx, func(ctx context.Context) { group.StartWithContext(ctx, func(ctx context.Context) {
// TODO: make sure we have called it at least once before returning // TODO: make sure we have called it at least once before returning
// TODO: config config := apicall.NewAPICallConfiguration(maxResponseLength)
config := apicall.NewAPICallConfiguration(10000)
caller := apicall.NewCaller(logger, "TODO", client, config) caller := apicall.NewCaller(logger, "TODO", client, config)
wait.UntilWithContext(ctx, func(ctx context.Context) { wait.UntilWithContext(ctx, func(ctx context.Context) {
// TODO
if data, err := doCall(ctx, caller, call); err != nil { if data, err := doCall(ctx, caller, call); err != nil {
logger.Error(err, "failed to get data from api caller") logger.Error(err, "failed to get data from api caller")
} else { } else {