mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

feat: add flag to skip resource filters in reports controller (#6778)

Browse source 
* feat: add flag to skip resource filters in reports controller

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* codegen

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-04-04 15:05:29 +02:00 committed by GitHub
parent 298e250693
commit 2f1ac317f4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
18 changed files with 35 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -9,6 +9,7 @@
- Image references in the json context are not mutated to canonical form anymore, do not assume a registry domain is always present.
- Added support for configuring webhook annotations in the config map through `webhookAnnotations` stanza.
- Added `excludeRoles` and `excludeClusterRoles` support in configuration.
- Added new flag `skipResourceFilters` to reports controller to enable/disable considering resource filters in the background (default value is `true`)
## v1.9.0-rc.1

2
charts/kyverno/README.md
View file

@ -386,7 +386,7 @@ The command removes all the Kubernetes components associated with the chart and
| reportsController.priorityClassName | string | `""` | Optional priority class |
| reportsController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
| reportsController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
| reportsController.extraArgs | object | `{"clientRateLimitBurst":300,"clientRateLimitQPS":300}` | Extra arguments passed to the container on the command line |
| reportsController.extraArgs | object | `{"clientRateLimitBurst":300,"clientRateLimitQPS":300,"skipResourceFilters":true}` | Extra arguments passed to the container on the command line |
| reportsController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits |
| reportsController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests |
| reportsController.nodeSelector | object | `{}` | Node labels for pod assignment |

1
charts/kyverno/values.yaml
View file

@ -937,6 +937,7 @@ reportsController:
extraArgs:
clientRateLimitQPS: 300
clientRateLimitBurst: 300
skipResourceFilters: true
resources:
# -- Pod resource limits

2
cmd/background-controller/main.go
View file

@ -207,7 +207,7 @@ func main() {
logger.Error(err, "failed to create config map resolver")
os.Exit(1)
}
configuration, err := config.NewConfiguration(kubeClient)
configuration, err := config.NewConfiguration(kubeClient, false)
if err != nil {
logger.Error(err, "failed to initialize configuration")
os.Exit(1)

2
cmd/cleanup-controller/main.go
View file

@ -225,7 +225,7 @@ func main() {
DumpPayload: dumpPayload,
},
probes{},
config.NewDefaultConfiguration(),
config.NewDefaultConfiguration(false),
)
// start server
server.Run(ctx.Done())

4
cmd/cli/kubectl-kyverno/utils/common/common.go
View file

@ -451,7 +451,7 @@ OuterLoop:
}
}
cfg := config.NewDefaultConfiguration()
cfg := config.NewDefaultConfiguration(false)
if err := ctx.AddImageInfos(c.Resource, cfg); err != nil {
log.Log.Error(err, "failed to add image variables to context")
}
@ -1072,7 +1072,7 @@ func initializeMockController(objects []runtime.Object) (*generate.GenerateContr
client.SetDiscovery(dclient.NewFakeDiscoveryClient(nil))
c := generate.NewGenerateControllerWithOnlyClient(client, engine.NewEngine(
config.NewDefaultConfiguration(),
config.NewDefaultConfiguration(false),
client,
nil,
store.ContextLoaderFactory(nil),

2
cmd/kyverno/main.go
View file

@ -322,7 +322,7 @@ func main() {
logger.Error(err, "failed to create config map resolver")
os.Exit(1)
}
configuration, err := config.NewConfiguration(kubeClient)
configuration, err := config.NewConfiguration(kubeClient, false)
if err != nil {
logger.Error(err, "failed to initialize configuration")
os.Exit(1)

4
cmd/reports-controller/main.go
View file

@ -220,6 +220,7 @@ func main() {
maxQueuedEvents int
enablePolicyException bool
exceptionNamespace string
skipResourceFilters bool
)
flagset := flag.NewFlagSet("reports-controller", flag.ExitOnError)
flagset.DurationVar(&leaderElectionRetryPeriod, "leaderElectionRetryPeriod", leaderelection.DefaultRetryPeriod, "Configure leader election retry period.")
@ -234,6 +235,7 @@ func main() {
flagset.IntVar(&maxQueuedEvents, "maxQueuedEvents", 1000, "Maximum events to be queued.")
flagset.StringVar(&exceptionNamespace, "exceptionNamespace", "", "Configure the namespace to accept PolicyExceptions.")
flagset.BoolVar(&enablePolicyException, "enablePolicyException", false, "Enable PolicyException feature.")
flagset.BoolVar(&skipResourceFilters, "skipResourceFilters", true, "If true, resource filters wont be considered.")
// config
appConfig := internal.NewConfiguration(
internal.WithProfiling(),
@ -298,7 +300,7 @@ func main() {
logger.Error(err, "failed to create config map resolver")
os.Exit(1)
}
configuration, err := config.NewConfiguration(kubeClient)
configuration, err := config.NewConfiguration(kubeClient, skipResourceFilters)
if err != nil {
logger.Error(err, "failed to initialize configuration")
os.Exit(1)

1
config/install-latest-testing.yaml
View file

@ -34969,6 +34969,7 @@ spec:
- --metricsPort=8000
- --clientRateLimitBurst=300
- --clientRateLimitQPS=300
- --skipResourceFilters=true
env:
- name: METRICS_CONFIG
value: kyverno-metrics

24
pkg/config/config.go
View file

@ -161,6 +161,7 @@ type Configuration interface {
// configuration stores the configuration
type configuration struct {
skipResourceFilters bool
defaultRegistry string
enableDefaultRegistryMutation bool
excludedGroups []string
@ -176,8 +177,9 @@ type configuration struct {
}
// NewDefaultConfiguration ...
func NewDefaultConfiguration() *configuration {
func NewDefaultConfiguration(skipResourceFilters bool) *configuration {
return &configuration{
skipResourceFilters: skipResourceFilters,
defaultRegistry: "docker.io",
enableDefaultRegistryMutation: true,
excludedGroups: defaultExcludedGroups,
@ -186,8 +188,8 @@ func NewDefaultConfiguration() *configuration {
}
// NewConfiguration ...
func NewConfiguration(client kubernetes.Interface) (Configuration, error) {
cd := NewDefaultConfiguration()
func NewConfiguration(client kubernetes.Interface, skipResourceFilters bool) (Configuration, error) {
cd := NewDefaultConfiguration(skipResourceFilters)
if cm, err := client.CoreV1().ConfigMaps(kyvernoNamespace).Get(context.TODO(), kyvernoConfigMapName, metav1.GetOptions{}); err != nil {
if !errors.IsNotFound(err) {
return nil, err
@ -201,15 +203,17 @@ func NewConfiguration(client kubernetes.Interface) (Configuration, error) {
func (cd *configuration) ToFilter(kind, namespace, name string) bool {
cd.mux.RLock()
defer cd.mux.RUnlock()
for _, f := range cd.filters {
if wildcard.Match(f.Kind, kind) && wildcard.Match(f.Namespace, namespace) && wildcard.Match(f.Name, name) {
return true
}
if kind == "Namespace" {
// [Namespace,kube-system,*] || [*,kube-system,*]
if (f.Kind == "Namespace" || f.Kind == "*") && wildcard.Match(f.Namespace, name) {
if !cd.skipResourceFilters {
for _, f := range cd.filters {
if wildcard.Match(f.Kind, kind) && wildcard.Match(f.Namespace, namespace) && wildcard.Match(f.Name, name) {
return true
}
if kind == "Namespace" {
// [Namespace,kube-system,*] || [*,kube-system,*]
if (f.Kind == "Namespace" || f.Kind == "*") && wildcard.Match(f.Namespace, name) {
return true
}
}
}
}
return false

2
pkg/controllers/generic/webhook/controller.go
View file

@ -140,7 +140,7 @@ func (c *controller) enqueue() {
}
func (c *controller) loadConfig() config.Configuration {
cfg := config.NewDefaultConfiguration()
cfg := config.NewDefaultConfiguration(false)
cm, err := c.configMapLister.ConfigMaps(config.KyvernoNamespace()).Get(config.KyvernoConfigMapName())
if err == nil {
cfg.Load(cm)

2
pkg/controllers/webhook/controller.go
View file

@ -294,7 +294,7 @@ func (c *controller) enqueueVerifyWebhook() {
}
func (c *controller) loadConfig() config.Configuration {
cfg := config.NewDefaultConfiguration()
cfg := config.NewDefaultConfiguration(false)
cm, err := c.configMapLister.ConfigMaps(config.KyvernoNamespace()).Get(config.KyvernoConfigMapName())
if err == nil {
cfg.Load(cm)

2
pkg/engine/handlers/validation/validate_manifest_test.go
View file

@ -619,7 +619,7 @@ FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A==
var (
h = validateManifestHandler{}
cfg = config.NewDefaultConfiguration()
cfg = config.NewDefaultConfiguration(false)
)
func Test_VerifyManifest_SignedYAML(t *testing.T) {

2
pkg/engine/image_verify_test.go
View file

@ -161,7 +161,7 @@ var signaturePayloads = [][]byte{
[]byte(`{"critical":{"identity":{"docker-reference":"ghcr.io/kyverno/test-verify-image"},"image":{"docker-manifest-digest":"sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105"},"type":"cosign container image signature"},"optional":null}`),
}
var cfg = config.NewDefaultConfiguration()
var cfg = config.NewDefaultConfiguration(false)
func testVerifyAndPatchImages(
ctx context.Context,

2
pkg/utils/api/image_test.go
View file

@ -10,7 +10,7 @@ import (
"gotest.tools/assert"
)
var cfg = config.NewDefaultConfiguration()
var cfg = config.NewDefaultConfiguration(false)
func Test_extractImageInfo(t *testing.T) {
tests := []struct {

2
pkg/utils/image/infos_test.go
View file

@ -21,7 +21,7 @@ func initializeMockConfig(defaultRegistry string, enableDefaultRegistryMutation
Data: configMapData,
}
cs := fake.NewSimpleClientset(&cm)
dynamicConfig, err := config.NewConfiguration(cs)
dynamicConfig, err := config.NewConfiguration(cs, false)
if err != nil {
return nil, err
}

2
pkg/webhooks/resource/fake.go
View file

@ -35,7 +35,7 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
kyvernoInformers.Start(ctx.Done())
dclient := dclient.NewEmptyFakeClient()
configuration := config.NewDefaultConfiguration()
configuration := config.NewDefaultConfiguration(false)
urLister := kyvernoInformers.Kyverno().V1beta1().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace())
peLister := kyvernoInformers.Kyverno().V2alpha1().PolicyExceptions().Lister()
rclient := registryclient.NewOrDie()

4
pkg/webhooks/resource/validation_test.go
View file

@ -1050,7 +1050,7 @@ func TestValidate_failure_action_overrides(t *testing.T) {
}
eng := engine.NewEngine(
config.NewDefaultConfiguration(),
config.NewDefaultConfiguration(false),
nil,
registryclient.NewOrDie(),
engineapi.DefaultContextLoaderFactory(nil),
@ -1129,7 +1129,7 @@ func Test_RuleSelector(t *testing.T) {
ctx := engine.NewPolicyContext(kyvernov1.Create).WithPolicy(&policy).WithNewResource(*resourceUnstructured)
eng := engine.NewEngine(
config.NewDefaultConfiguration(),
config.NewDefaultConfiguration(false),
nil,
registryclient.NewOrDie(),
engineapi.DefaultContextLoaderFactory(nil),