mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-16 20:48:42 +00:00
feat: add flag to skip resource filters in reports controller (#6778)
* feat: add flag to skip resource filters in reports controller Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
parent
298e250693
commit
2f1ac317f4
18 changed files with 35 additions and 26 deletions
|
@ -9,6 +9,7 @@
|
||||||
- Image references in the json context are not mutated to canonical form anymore, do not assume a registry domain is always present.
|
- Image references in the json context are not mutated to canonical form anymore, do not assume a registry domain is always present.
|
||||||
- Added support for configuring webhook annotations in the config map through `webhookAnnotations` stanza.
|
- Added support for configuring webhook annotations in the config map through `webhookAnnotations` stanza.
|
||||||
- Added `excludeRoles` and `excludeClusterRoles` support in configuration.
|
- Added `excludeRoles` and `excludeClusterRoles` support in configuration.
|
||||||
|
- Added new flag `skipResourceFilters` to reports controller to enable/disable considering resource filters in the background (default value is `true`)
|
||||||
|
|
||||||
## v1.9.0-rc.1
|
## v1.9.0-rc.1
|
||||||
|
|
||||||
|
|
|
@ -386,7 +386,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||||
| reportsController.priorityClassName | string | `""` | Optional priority class |
|
| reportsController.priorityClassName | string | `""` | Optional priority class |
|
||||||
| reportsController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
|
| reportsController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
|
||||||
| reportsController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
|
| reportsController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
|
||||||
| reportsController.extraArgs | object | `{"clientRateLimitBurst":300,"clientRateLimitQPS":300}` | Extra arguments passed to the container on the command line |
|
| reportsController.extraArgs | object | `{"clientRateLimitBurst":300,"clientRateLimitQPS":300,"skipResourceFilters":true}` | Extra arguments passed to the container on the command line |
|
||||||
| reportsController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits |
|
| reportsController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits |
|
||||||
| reportsController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests |
|
| reportsController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests |
|
||||||
| reportsController.nodeSelector | object | `{}` | Node labels for pod assignment |
|
| reportsController.nodeSelector | object | `{}` | Node labels for pod assignment |
|
||||||
|
|
|
@ -937,6 +937,7 @@ reportsController:
|
||||||
extraArgs:
|
extraArgs:
|
||||||
clientRateLimitQPS: 300
|
clientRateLimitQPS: 300
|
||||||
clientRateLimitBurst: 300
|
clientRateLimitBurst: 300
|
||||||
|
skipResourceFilters: true
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
# -- Pod resource limits
|
# -- Pod resource limits
|
||||||
|
|
|
@ -207,7 +207,7 @@ func main() {
|
||||||
logger.Error(err, "failed to create config map resolver")
|
logger.Error(err, "failed to create config map resolver")
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
}
|
}
|
||||||
configuration, err := config.NewConfiguration(kubeClient)
|
configuration, err := config.NewConfiguration(kubeClient, false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Error(err, "failed to initialize configuration")
|
logger.Error(err, "failed to initialize configuration")
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
|
|
|
@ -225,7 +225,7 @@ func main() {
|
||||||
DumpPayload: dumpPayload,
|
DumpPayload: dumpPayload,
|
||||||
},
|
},
|
||||||
probes{},
|
probes{},
|
||||||
config.NewDefaultConfiguration(),
|
config.NewDefaultConfiguration(false),
|
||||||
)
|
)
|
||||||
// start server
|
// start server
|
||||||
server.Run(ctx.Done())
|
server.Run(ctx.Done())
|
||||||
|
|
|
@ -451,7 +451,7 @@ OuterLoop:
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
cfg := config.NewDefaultConfiguration()
|
cfg := config.NewDefaultConfiguration(false)
|
||||||
if err := ctx.AddImageInfos(c.Resource, cfg); err != nil {
|
if err := ctx.AddImageInfos(c.Resource, cfg); err != nil {
|
||||||
log.Log.Error(err, "failed to add image variables to context")
|
log.Log.Error(err, "failed to add image variables to context")
|
||||||
}
|
}
|
||||||
|
@ -1072,7 +1072,7 @@ func initializeMockController(objects []runtime.Object) (*generate.GenerateContr
|
||||||
|
|
||||||
client.SetDiscovery(dclient.NewFakeDiscoveryClient(nil))
|
client.SetDiscovery(dclient.NewFakeDiscoveryClient(nil))
|
||||||
c := generate.NewGenerateControllerWithOnlyClient(client, engine.NewEngine(
|
c := generate.NewGenerateControllerWithOnlyClient(client, engine.NewEngine(
|
||||||
config.NewDefaultConfiguration(),
|
config.NewDefaultConfiguration(false),
|
||||||
client,
|
client,
|
||||||
nil,
|
nil,
|
||||||
store.ContextLoaderFactory(nil),
|
store.ContextLoaderFactory(nil),
|
||||||
|
|
|
@ -322,7 +322,7 @@ func main() {
|
||||||
logger.Error(err, "failed to create config map resolver")
|
logger.Error(err, "failed to create config map resolver")
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
}
|
}
|
||||||
configuration, err := config.NewConfiguration(kubeClient)
|
configuration, err := config.NewConfiguration(kubeClient, false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Error(err, "failed to initialize configuration")
|
logger.Error(err, "failed to initialize configuration")
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
|
|
|
@ -220,6 +220,7 @@ func main() {
|
||||||
maxQueuedEvents int
|
maxQueuedEvents int
|
||||||
enablePolicyException bool
|
enablePolicyException bool
|
||||||
exceptionNamespace string
|
exceptionNamespace string
|
||||||
|
skipResourceFilters bool
|
||||||
)
|
)
|
||||||
flagset := flag.NewFlagSet("reports-controller", flag.ExitOnError)
|
flagset := flag.NewFlagSet("reports-controller", flag.ExitOnError)
|
||||||
flagset.DurationVar(&leaderElectionRetryPeriod, "leaderElectionRetryPeriod", leaderelection.DefaultRetryPeriod, "Configure leader election retry period.")
|
flagset.DurationVar(&leaderElectionRetryPeriod, "leaderElectionRetryPeriod", leaderelection.DefaultRetryPeriod, "Configure leader election retry period.")
|
||||||
|
@ -234,6 +235,7 @@ func main() {
|
||||||
flagset.IntVar(&maxQueuedEvents, "maxQueuedEvents", 1000, "Maximum events to be queued.")
|
flagset.IntVar(&maxQueuedEvents, "maxQueuedEvents", 1000, "Maximum events to be queued.")
|
||||||
flagset.StringVar(&exceptionNamespace, "exceptionNamespace", "", "Configure the namespace to accept PolicyExceptions.")
|
flagset.StringVar(&exceptionNamespace, "exceptionNamespace", "", "Configure the namespace to accept PolicyExceptions.")
|
||||||
flagset.BoolVar(&enablePolicyException, "enablePolicyException", false, "Enable PolicyException feature.")
|
flagset.BoolVar(&enablePolicyException, "enablePolicyException", false, "Enable PolicyException feature.")
|
||||||
|
flagset.BoolVar(&skipResourceFilters, "skipResourceFilters", true, "If true, resource filters wont be considered.")
|
||||||
// config
|
// config
|
||||||
appConfig := internal.NewConfiguration(
|
appConfig := internal.NewConfiguration(
|
||||||
internal.WithProfiling(),
|
internal.WithProfiling(),
|
||||||
|
@ -298,7 +300,7 @@ func main() {
|
||||||
logger.Error(err, "failed to create config map resolver")
|
logger.Error(err, "failed to create config map resolver")
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
}
|
}
|
||||||
configuration, err := config.NewConfiguration(kubeClient)
|
configuration, err := config.NewConfiguration(kubeClient, skipResourceFilters)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Error(err, "failed to initialize configuration")
|
logger.Error(err, "failed to initialize configuration")
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
|
|
|
@ -34969,6 +34969,7 @@ spec:
|
||||||
- --metricsPort=8000
|
- --metricsPort=8000
|
||||||
- --clientRateLimitBurst=300
|
- --clientRateLimitBurst=300
|
||||||
- --clientRateLimitQPS=300
|
- --clientRateLimitQPS=300
|
||||||
|
- --skipResourceFilters=true
|
||||||
env:
|
env:
|
||||||
- name: METRICS_CONFIG
|
- name: METRICS_CONFIG
|
||||||
value: kyverno-metrics
|
value: kyverno-metrics
|
||||||
|
|
|
@ -161,6 +161,7 @@ type Configuration interface {
|
||||||
|
|
||||||
// configuration stores the configuration
|
// configuration stores the configuration
|
||||||
type configuration struct {
|
type configuration struct {
|
||||||
|
skipResourceFilters bool
|
||||||
defaultRegistry string
|
defaultRegistry string
|
||||||
enableDefaultRegistryMutation bool
|
enableDefaultRegistryMutation bool
|
||||||
excludedGroups []string
|
excludedGroups []string
|
||||||
|
@ -176,8 +177,9 @@ type configuration struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewDefaultConfiguration ...
|
// NewDefaultConfiguration ...
|
||||||
func NewDefaultConfiguration() *configuration {
|
func NewDefaultConfiguration(skipResourceFilters bool) *configuration {
|
||||||
return &configuration{
|
return &configuration{
|
||||||
|
skipResourceFilters: skipResourceFilters,
|
||||||
defaultRegistry: "docker.io",
|
defaultRegistry: "docker.io",
|
||||||
enableDefaultRegistryMutation: true,
|
enableDefaultRegistryMutation: true,
|
||||||
excludedGroups: defaultExcludedGroups,
|
excludedGroups: defaultExcludedGroups,
|
||||||
|
@ -186,8 +188,8 @@ func NewDefaultConfiguration() *configuration {
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewConfiguration ...
|
// NewConfiguration ...
|
||||||
func NewConfiguration(client kubernetes.Interface) (Configuration, error) {
|
func NewConfiguration(client kubernetes.Interface, skipResourceFilters bool) (Configuration, error) {
|
||||||
cd := NewDefaultConfiguration()
|
cd := NewDefaultConfiguration(skipResourceFilters)
|
||||||
if cm, err := client.CoreV1().ConfigMaps(kyvernoNamespace).Get(context.TODO(), kyvernoConfigMapName, metav1.GetOptions{}); err != nil {
|
if cm, err := client.CoreV1().ConfigMaps(kyvernoNamespace).Get(context.TODO(), kyvernoConfigMapName, metav1.GetOptions{}); err != nil {
|
||||||
if !errors.IsNotFound(err) {
|
if !errors.IsNotFound(err) {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -201,6 +203,7 @@ func NewConfiguration(client kubernetes.Interface) (Configuration, error) {
|
||||||
func (cd *configuration) ToFilter(kind, namespace, name string) bool {
|
func (cd *configuration) ToFilter(kind, namespace, name string) bool {
|
||||||
cd.mux.RLock()
|
cd.mux.RLock()
|
||||||
defer cd.mux.RUnlock()
|
defer cd.mux.RUnlock()
|
||||||
|
if !cd.skipResourceFilters {
|
||||||
for _, f := range cd.filters {
|
for _, f := range cd.filters {
|
||||||
if wildcard.Match(f.Kind, kind) && wildcard.Match(f.Namespace, namespace) && wildcard.Match(f.Name, name) {
|
if wildcard.Match(f.Kind, kind) && wildcard.Match(f.Namespace, namespace) && wildcard.Match(f.Name, name) {
|
||||||
return true
|
return true
|
||||||
|
@ -212,6 +215,7 @@ func (cd *configuration) ToFilter(kind, namespace, name string) bool {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -140,7 +140,7 @@ func (c *controller) enqueue() {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *controller) loadConfig() config.Configuration {
|
func (c *controller) loadConfig() config.Configuration {
|
||||||
cfg := config.NewDefaultConfiguration()
|
cfg := config.NewDefaultConfiguration(false)
|
||||||
cm, err := c.configMapLister.ConfigMaps(config.KyvernoNamespace()).Get(config.KyvernoConfigMapName())
|
cm, err := c.configMapLister.ConfigMaps(config.KyvernoNamespace()).Get(config.KyvernoConfigMapName())
|
||||||
if err == nil {
|
if err == nil {
|
||||||
cfg.Load(cm)
|
cfg.Load(cm)
|
||||||
|
|
|
@ -294,7 +294,7 @@ func (c *controller) enqueueVerifyWebhook() {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *controller) loadConfig() config.Configuration {
|
func (c *controller) loadConfig() config.Configuration {
|
||||||
cfg := config.NewDefaultConfiguration()
|
cfg := config.NewDefaultConfiguration(false)
|
||||||
cm, err := c.configMapLister.ConfigMaps(config.KyvernoNamespace()).Get(config.KyvernoConfigMapName())
|
cm, err := c.configMapLister.ConfigMaps(config.KyvernoNamespace()).Get(config.KyvernoConfigMapName())
|
||||||
if err == nil {
|
if err == nil {
|
||||||
cfg.Load(cm)
|
cfg.Load(cm)
|
||||||
|
|
|
@ -619,7 +619,7 @@ FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A==
|
||||||
|
|
||||||
var (
|
var (
|
||||||
h = validateManifestHandler{}
|
h = validateManifestHandler{}
|
||||||
cfg = config.NewDefaultConfiguration()
|
cfg = config.NewDefaultConfiguration(false)
|
||||||
)
|
)
|
||||||
|
|
||||||
func Test_VerifyManifest_SignedYAML(t *testing.T) {
|
func Test_VerifyManifest_SignedYAML(t *testing.T) {
|
||||||
|
|
|
@ -161,7 +161,7 @@ var signaturePayloads = [][]byte{
|
||||||
[]byte(`{"critical":{"identity":{"docker-reference":"ghcr.io/kyverno/test-verify-image"},"image":{"docker-manifest-digest":"sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105"},"type":"cosign container image signature"},"optional":null}`),
|
[]byte(`{"critical":{"identity":{"docker-reference":"ghcr.io/kyverno/test-verify-image"},"image":{"docker-manifest-digest":"sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105"},"type":"cosign container image signature"},"optional":null}`),
|
||||||
}
|
}
|
||||||
|
|
||||||
var cfg = config.NewDefaultConfiguration()
|
var cfg = config.NewDefaultConfiguration(false)
|
||||||
|
|
||||||
func testVerifyAndPatchImages(
|
func testVerifyAndPatchImages(
|
||||||
ctx context.Context,
|
ctx context.Context,
|
||||||
|
|
|
@ -10,7 +10,7 @@ import (
|
||||||
"gotest.tools/assert"
|
"gotest.tools/assert"
|
||||||
)
|
)
|
||||||
|
|
||||||
var cfg = config.NewDefaultConfiguration()
|
var cfg = config.NewDefaultConfiguration(false)
|
||||||
|
|
||||||
func Test_extractImageInfo(t *testing.T) {
|
func Test_extractImageInfo(t *testing.T) {
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
|
|
|
@ -21,7 +21,7 @@ func initializeMockConfig(defaultRegistry string, enableDefaultRegistryMutation
|
||||||
Data: configMapData,
|
Data: configMapData,
|
||||||
}
|
}
|
||||||
cs := fake.NewSimpleClientset(&cm)
|
cs := fake.NewSimpleClientset(&cm)
|
||||||
dynamicConfig, err := config.NewConfiguration(cs)
|
dynamicConfig, err := config.NewConfiguration(cs, false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
|
@ -35,7 +35,7 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
|
||||||
kyvernoInformers.Start(ctx.Done())
|
kyvernoInformers.Start(ctx.Done())
|
||||||
|
|
||||||
dclient := dclient.NewEmptyFakeClient()
|
dclient := dclient.NewEmptyFakeClient()
|
||||||
configuration := config.NewDefaultConfiguration()
|
configuration := config.NewDefaultConfiguration(false)
|
||||||
urLister := kyvernoInformers.Kyverno().V1beta1().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace())
|
urLister := kyvernoInformers.Kyverno().V1beta1().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace())
|
||||||
peLister := kyvernoInformers.Kyverno().V2alpha1().PolicyExceptions().Lister()
|
peLister := kyvernoInformers.Kyverno().V2alpha1().PolicyExceptions().Lister()
|
||||||
rclient := registryclient.NewOrDie()
|
rclient := registryclient.NewOrDie()
|
||||||
|
|
|
@ -1050,7 +1050,7 @@ func TestValidate_failure_action_overrides(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
eng := engine.NewEngine(
|
eng := engine.NewEngine(
|
||||||
config.NewDefaultConfiguration(),
|
config.NewDefaultConfiguration(false),
|
||||||
nil,
|
nil,
|
||||||
registryclient.NewOrDie(),
|
registryclient.NewOrDie(),
|
||||||
engineapi.DefaultContextLoaderFactory(nil),
|
engineapi.DefaultContextLoaderFactory(nil),
|
||||||
|
@ -1129,7 +1129,7 @@ func Test_RuleSelector(t *testing.T) {
|
||||||
ctx := engine.NewPolicyContext(kyvernov1.Create).WithPolicy(&policy).WithNewResource(*resourceUnstructured)
|
ctx := engine.NewPolicyContext(kyvernov1.Create).WithPolicy(&policy).WithNewResource(*resourceUnstructured)
|
||||||
|
|
||||||
eng := engine.NewEngine(
|
eng := engine.NewEngine(
|
||||||
config.NewDefaultConfiguration(),
|
config.NewDefaultConfiguration(false),
|
||||||
nil,
|
nil,
|
||||||
registryclient.NewOrDie(),
|
registryclient.NewOrDie(),
|
||||||
engineapi.DefaultContextLoaderFactory(nil),
|
engineapi.DefaultContextLoaderFactory(nil),
|
||||||
|
|
Loading…
Add table
Reference in a new issue