1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-16 20:48:42 +00:00

feat: add flag to skip resource filters in reports controller (#6778)

* feat: add flag to skip resource filters in reports controller

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* codegen

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-04-04 15:05:29 +02:00 committed by GitHub
parent 298e250693
commit 2f1ac317f4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
18 changed files with 35 additions and 26 deletions

View file

@ -9,6 +9,7 @@
- Image references in the json context are not mutated to canonical form anymore, do not assume a registry domain is always present. - Image references in the json context are not mutated to canonical form anymore, do not assume a registry domain is always present.
- Added support for configuring webhook annotations in the config map through `webhookAnnotations` stanza. - Added support for configuring webhook annotations in the config map through `webhookAnnotations` stanza.
- Added `excludeRoles` and `excludeClusterRoles` support in configuration. - Added `excludeRoles` and `excludeClusterRoles` support in configuration.
- Added new flag `skipResourceFilters` to reports controller to enable/disable considering resource filters in the background (default value is `true`)
## v1.9.0-rc.1 ## v1.9.0-rc.1

View file

@ -386,7 +386,7 @@ The command removes all the Kubernetes components associated with the chart and
| reportsController.priorityClassName | string | `""` | Optional priority class | | reportsController.priorityClassName | string | `""` | Optional priority class |
| reportsController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. | | reportsController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
| reportsController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. | | reportsController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
| reportsController.extraArgs | object | `{"clientRateLimitBurst":300,"clientRateLimitQPS":300}` | Extra arguments passed to the container on the command line | | reportsController.extraArgs | object | `{"clientRateLimitBurst":300,"clientRateLimitQPS":300,"skipResourceFilters":true}` | Extra arguments passed to the container on the command line |
| reportsController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits | | reportsController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits |
| reportsController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests | | reportsController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests |
| reportsController.nodeSelector | object | `{}` | Node labels for pod assignment | | reportsController.nodeSelector | object | `{}` | Node labels for pod assignment |

View file

@ -937,6 +937,7 @@ reportsController:
extraArgs: extraArgs:
clientRateLimitQPS: 300 clientRateLimitQPS: 300
clientRateLimitBurst: 300 clientRateLimitBurst: 300
skipResourceFilters: true
resources: resources:
# -- Pod resource limits # -- Pod resource limits

View file

@ -207,7 +207,7 @@ func main() {
logger.Error(err, "failed to create config map resolver") logger.Error(err, "failed to create config map resolver")
os.Exit(1) os.Exit(1)
} }
configuration, err := config.NewConfiguration(kubeClient) configuration, err := config.NewConfiguration(kubeClient, false)
if err != nil { if err != nil {
logger.Error(err, "failed to initialize configuration") logger.Error(err, "failed to initialize configuration")
os.Exit(1) os.Exit(1)

View file

@ -225,7 +225,7 @@ func main() {
DumpPayload: dumpPayload, DumpPayload: dumpPayload,
}, },
probes{}, probes{},
config.NewDefaultConfiguration(), config.NewDefaultConfiguration(false),
) )
// start server // start server
server.Run(ctx.Done()) server.Run(ctx.Done())

View file

@ -451,7 +451,7 @@ OuterLoop:
} }
} }
cfg := config.NewDefaultConfiguration() cfg := config.NewDefaultConfiguration(false)
if err := ctx.AddImageInfos(c.Resource, cfg); err != nil { if err := ctx.AddImageInfos(c.Resource, cfg); err != nil {
log.Log.Error(err, "failed to add image variables to context") log.Log.Error(err, "failed to add image variables to context")
} }
@ -1072,7 +1072,7 @@ func initializeMockController(objects []runtime.Object) (*generate.GenerateContr
client.SetDiscovery(dclient.NewFakeDiscoveryClient(nil)) client.SetDiscovery(dclient.NewFakeDiscoveryClient(nil))
c := generate.NewGenerateControllerWithOnlyClient(client, engine.NewEngine( c := generate.NewGenerateControllerWithOnlyClient(client, engine.NewEngine(
config.NewDefaultConfiguration(), config.NewDefaultConfiguration(false),
client, client,
nil, nil,
store.ContextLoaderFactory(nil), store.ContextLoaderFactory(nil),

View file

@ -322,7 +322,7 @@ func main() {
logger.Error(err, "failed to create config map resolver") logger.Error(err, "failed to create config map resolver")
os.Exit(1) os.Exit(1)
} }
configuration, err := config.NewConfiguration(kubeClient) configuration, err := config.NewConfiguration(kubeClient, false)
if err != nil { if err != nil {
logger.Error(err, "failed to initialize configuration") logger.Error(err, "failed to initialize configuration")
os.Exit(1) os.Exit(1)

View file

@ -220,6 +220,7 @@ func main() {
maxQueuedEvents int maxQueuedEvents int
enablePolicyException bool enablePolicyException bool
exceptionNamespace string exceptionNamespace string
skipResourceFilters bool
) )
flagset := flag.NewFlagSet("reports-controller", flag.ExitOnError) flagset := flag.NewFlagSet("reports-controller", flag.ExitOnError)
flagset.DurationVar(&leaderElectionRetryPeriod, "leaderElectionRetryPeriod", leaderelection.DefaultRetryPeriod, "Configure leader election retry period.") flagset.DurationVar(&leaderElectionRetryPeriod, "leaderElectionRetryPeriod", leaderelection.DefaultRetryPeriod, "Configure leader election retry period.")
@ -234,6 +235,7 @@ func main() {
flagset.IntVar(&maxQueuedEvents, "maxQueuedEvents", 1000, "Maximum events to be queued.") flagset.IntVar(&maxQueuedEvents, "maxQueuedEvents", 1000, "Maximum events to be queued.")
flagset.StringVar(&exceptionNamespace, "exceptionNamespace", "", "Configure the namespace to accept PolicyExceptions.") flagset.StringVar(&exceptionNamespace, "exceptionNamespace", "", "Configure the namespace to accept PolicyExceptions.")
flagset.BoolVar(&enablePolicyException, "enablePolicyException", false, "Enable PolicyException feature.") flagset.BoolVar(&enablePolicyException, "enablePolicyException", false, "Enable PolicyException feature.")
flagset.BoolVar(&skipResourceFilters, "skipResourceFilters", true, "If true, resource filters wont be considered.")
// config // config
appConfig := internal.NewConfiguration( appConfig := internal.NewConfiguration(
internal.WithProfiling(), internal.WithProfiling(),
@ -298,7 +300,7 @@ func main() {
logger.Error(err, "failed to create config map resolver") logger.Error(err, "failed to create config map resolver")
os.Exit(1) os.Exit(1)
} }
configuration, err := config.NewConfiguration(kubeClient) configuration, err := config.NewConfiguration(kubeClient, skipResourceFilters)
if err != nil { if err != nil {
logger.Error(err, "failed to initialize configuration") logger.Error(err, "failed to initialize configuration")
os.Exit(1) os.Exit(1)

View file

@ -34969,6 +34969,7 @@ spec:
- --metricsPort=8000 - --metricsPort=8000
- --clientRateLimitBurst=300 - --clientRateLimitBurst=300
- --clientRateLimitQPS=300 - --clientRateLimitQPS=300
- --skipResourceFilters=true
env: env:
- name: METRICS_CONFIG - name: METRICS_CONFIG
value: kyverno-metrics value: kyverno-metrics

View file

@ -161,6 +161,7 @@ type Configuration interface {
// configuration stores the configuration // configuration stores the configuration
type configuration struct { type configuration struct {
skipResourceFilters bool
defaultRegistry string defaultRegistry string
enableDefaultRegistryMutation bool enableDefaultRegistryMutation bool
excludedGroups []string excludedGroups []string
@ -176,8 +177,9 @@ type configuration struct {
} }
// NewDefaultConfiguration ... // NewDefaultConfiguration ...
func NewDefaultConfiguration() *configuration { func NewDefaultConfiguration(skipResourceFilters bool) *configuration {
return &configuration{ return &configuration{
skipResourceFilters: skipResourceFilters,
defaultRegistry: "docker.io", defaultRegistry: "docker.io",
enableDefaultRegistryMutation: true, enableDefaultRegistryMutation: true,
excludedGroups: defaultExcludedGroups, excludedGroups: defaultExcludedGroups,
@ -186,8 +188,8 @@ func NewDefaultConfiguration() *configuration {
} }
// NewConfiguration ... // NewConfiguration ...
func NewConfiguration(client kubernetes.Interface) (Configuration, error) { func NewConfiguration(client kubernetes.Interface, skipResourceFilters bool) (Configuration, error) {
cd := NewDefaultConfiguration() cd := NewDefaultConfiguration(skipResourceFilters)
if cm, err := client.CoreV1().ConfigMaps(kyvernoNamespace).Get(context.TODO(), kyvernoConfigMapName, metav1.GetOptions{}); err != nil { if cm, err := client.CoreV1().ConfigMaps(kyvernoNamespace).Get(context.TODO(), kyvernoConfigMapName, metav1.GetOptions{}); err != nil {
if !errors.IsNotFound(err) { if !errors.IsNotFound(err) {
return nil, err return nil, err
@ -201,6 +203,7 @@ func NewConfiguration(client kubernetes.Interface) (Configuration, error) {
func (cd *configuration) ToFilter(kind, namespace, name string) bool { func (cd *configuration) ToFilter(kind, namespace, name string) bool {
cd.mux.RLock() cd.mux.RLock()
defer cd.mux.RUnlock() defer cd.mux.RUnlock()
if !cd.skipResourceFilters {
for _, f := range cd.filters { for _, f := range cd.filters {
if wildcard.Match(f.Kind, kind) && wildcard.Match(f.Namespace, namespace) && wildcard.Match(f.Name, name) { if wildcard.Match(f.Kind, kind) && wildcard.Match(f.Namespace, namespace) && wildcard.Match(f.Name, name) {
return true return true
@ -212,6 +215,7 @@ func (cd *configuration) ToFilter(kind, namespace, name string) bool {
} }
} }
} }
}
return false return false
} }

View file

@ -140,7 +140,7 @@ func (c *controller) enqueue() {
} }
func (c *controller) loadConfig() config.Configuration { func (c *controller) loadConfig() config.Configuration {
cfg := config.NewDefaultConfiguration() cfg := config.NewDefaultConfiguration(false)
cm, err := c.configMapLister.ConfigMaps(config.KyvernoNamespace()).Get(config.KyvernoConfigMapName()) cm, err := c.configMapLister.ConfigMaps(config.KyvernoNamespace()).Get(config.KyvernoConfigMapName())
if err == nil { if err == nil {
cfg.Load(cm) cfg.Load(cm)

View file

@ -294,7 +294,7 @@ func (c *controller) enqueueVerifyWebhook() {
} }
func (c *controller) loadConfig() config.Configuration { func (c *controller) loadConfig() config.Configuration {
cfg := config.NewDefaultConfiguration() cfg := config.NewDefaultConfiguration(false)
cm, err := c.configMapLister.ConfigMaps(config.KyvernoNamespace()).Get(config.KyvernoConfigMapName()) cm, err := c.configMapLister.ConfigMaps(config.KyvernoNamespace()).Get(config.KyvernoConfigMapName())
if err == nil { if err == nil {
cfg.Load(cm) cfg.Load(cm)

View file

@ -619,7 +619,7 @@ FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A==
var ( var (
h = validateManifestHandler{} h = validateManifestHandler{}
cfg = config.NewDefaultConfiguration() cfg = config.NewDefaultConfiguration(false)
) )
func Test_VerifyManifest_SignedYAML(t *testing.T) { func Test_VerifyManifest_SignedYAML(t *testing.T) {

View file

@ -161,7 +161,7 @@ var signaturePayloads = [][]byte{
[]byte(`{"critical":{"identity":{"docker-reference":"ghcr.io/kyverno/test-verify-image"},"image":{"docker-manifest-digest":"sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105"},"type":"cosign container image signature"},"optional":null}`), []byte(`{"critical":{"identity":{"docker-reference":"ghcr.io/kyverno/test-verify-image"},"image":{"docker-manifest-digest":"sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105"},"type":"cosign container image signature"},"optional":null}`),
} }
var cfg = config.NewDefaultConfiguration() var cfg = config.NewDefaultConfiguration(false)
func testVerifyAndPatchImages( func testVerifyAndPatchImages(
ctx context.Context, ctx context.Context,

View file

@ -10,7 +10,7 @@ import (
"gotest.tools/assert" "gotest.tools/assert"
) )
var cfg = config.NewDefaultConfiguration() var cfg = config.NewDefaultConfiguration(false)
func Test_extractImageInfo(t *testing.T) { func Test_extractImageInfo(t *testing.T) {
tests := []struct { tests := []struct {

View file

@ -21,7 +21,7 @@ func initializeMockConfig(defaultRegistry string, enableDefaultRegistryMutation
Data: configMapData, Data: configMapData,
} }
cs := fake.NewSimpleClientset(&cm) cs := fake.NewSimpleClientset(&cm)
dynamicConfig, err := config.NewConfiguration(cs) dynamicConfig, err := config.NewConfiguration(cs, false)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View file

@ -35,7 +35,7 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
kyvernoInformers.Start(ctx.Done()) kyvernoInformers.Start(ctx.Done())
dclient := dclient.NewEmptyFakeClient() dclient := dclient.NewEmptyFakeClient()
configuration := config.NewDefaultConfiguration() configuration := config.NewDefaultConfiguration(false)
urLister := kyvernoInformers.Kyverno().V1beta1().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace()) urLister := kyvernoInformers.Kyverno().V1beta1().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace())
peLister := kyvernoInformers.Kyverno().V2alpha1().PolicyExceptions().Lister() peLister := kyvernoInformers.Kyverno().V2alpha1().PolicyExceptions().Lister()
rclient := registryclient.NewOrDie() rclient := registryclient.NewOrDie()

View file

@ -1050,7 +1050,7 @@ func TestValidate_failure_action_overrides(t *testing.T) {
} }
eng := engine.NewEngine( eng := engine.NewEngine(
config.NewDefaultConfiguration(), config.NewDefaultConfiguration(false),
nil, nil,
registryclient.NewOrDie(), registryclient.NewOrDie(),
engineapi.DefaultContextLoaderFactory(nil), engineapi.DefaultContextLoaderFactory(nil),
@ -1129,7 +1129,7 @@ func Test_RuleSelector(t *testing.T) {
ctx := engine.NewPolicyContext(kyvernov1.Create).WithPolicy(&policy).WithNewResource(*resourceUnstructured) ctx := engine.NewPolicyContext(kyvernov1.Create).WithPolicy(&policy).WithNewResource(*resourceUnstructured)
eng := engine.NewEngine( eng := engine.NewEngine(
config.NewDefaultConfiguration(), config.NewDefaultConfiguration(false),
nil, nil,
registryclient.NewOrDie(), registryclient.NewOrDie(),
engineapi.DefaultContextLoaderFactory(nil), engineapi.DefaultContextLoaderFactory(nil),