mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
- add dclient; - add retry getting resource before create pv
This commit is contained in:
Shuting Zhao
parent
7ca87b0ac6
commit
37ad1249b2
4 changed files with 43 additions and 25 deletions
2
main.go
2
main.go
|
|
@ -106,7 +106,7 @@ func main() {
|
|||
|
||||
// POLICY VIOLATION GENERATOR
|
||||
// -- generate policy violation
|
||||
pvgen := policyviolation.NewPVGenerator(pclient, pInformer.Kyverno().V1alpha1().ClusterPolicyViolations().Lister(), pInformer.Kyverno().V1alpha1().NamespacedPolicyViolations().Lister())
|
||||
pvgen := policyviolation.NewPVGenerator(pclient, client, pInformer.Kyverno().V1alpha1().ClusterPolicyViolations().Lister(), pInformer.Kyverno().V1alpha1().NamespacedPolicyViolations().Lister())
|
||||
|
||||
// POLICY CONTROLLER
|
||||
// - reconciliation policy and policy violation
|
||||
|
|
|
|||
|
|
@ -93,11 +93,12 @@ type GeneratorInterface interface {
|
|||
}
|
||||
|
||||
// NewPVGenerator returns a new instance of policy violation generator
|
||||
func NewPVGenerator(client *kyvernoclient.Clientset,
|
||||
func NewPVGenerator(client *kyvernoclient.Clientset, dclient *client.Client,
|
||||
pvLister kyvernolister.ClusterPolicyViolationLister,
|
||||
nspvLister kyvernolister.NamespacedPolicyViolationLister) *Generator {
|
||||
gen := Generator{
|
||||
pvInterface: client.KyvernoV1alpha1(),
|
||||
dclient: dclient,
|
||||
pvLister: pvLister,
|
||||
nspvLister: nspvLister,
|
||||
queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), workQueueName),
|
||||
|
|
@ -210,7 +211,10 @@ func (gen *Generator) syncHandler(info Info) error {
|
|||
pvs = buildPVWithOwners(gen.dclient, info)
|
||||
}
|
||||
// create policy violation
|
||||
createPVS(pvs, gen.pvLister, gen.pvInterface)
|
||||
if err := createPVS(gen.dclient, pvs, gen.pvLister, gen.pvInterface); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
glog.V(3).Infof("Created cluster policy violation policy=%s, resource=%s/%s/%s",
|
||||
info.PolicyName, info.Resource.GetKind(), info.Resource.GetNamespace(), info.Resource.GetName())
|
||||
return nil
|
||||
|
|
@ -224,19 +228,25 @@ func (gen *Generator) syncHandler(info Info) error {
|
|||
pvs = buildNamespacedPVWithOwner(gen.dclient, info)
|
||||
}
|
||||
|
||||
createNamespacedPV(gen.nspvLister, gen.pvInterface, pvs)
|
||||
if err := createNamespacedPV(gen.dclient, gen.nspvLister, gen.pvInterface, pvs); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
glog.V(3).Infof("Created namespaced policy violation policy=%s, resource=%s/%s/%s",
|
||||
info.PolicyName, info.Resource.GetKind(), info.Resource.GetNamespace(), info.Resource.GetName())
|
||||
return nil
|
||||
}
|
||||
|
||||
func createPVS(pvs []kyverno.ClusterPolicyViolation, pvLister kyvernolister.ClusterPolicyViolationLister, pvInterface kyvernov1alpha1.KyvernoV1alpha1Interface) {
|
||||
func createPVS(dclient *client.Client, pvs []kyverno.ClusterPolicyViolation, pvLister kyvernolister.ClusterPolicyViolationLister, pvInterface kyvernov1alpha1.KyvernoV1alpha1Interface) error {
|
||||
for _, pv := range pvs {
|
||||
createPVNew(pv, pvLister, pvInterface)
|
||||
if err := createPVNew(dclient, pv, pvLister, pvInterface); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func createPVNew(pv kyverno.ClusterPolicyViolation, pvLister kyvernolister.ClusterPolicyViolationLister, pvInterface kyvernov1alpha1.KyvernoV1alpha1Interface) error {
|
||||
func createPVNew(dclient *client.Client, pv kyverno.ClusterPolicyViolation, pvLister kyvernolister.ClusterPolicyViolationLister, pvInterface kyvernov1alpha1.KyvernoV1alpha1Interface) error {
|
||||
var err error
|
||||
// PV already exists
|
||||
ePV, err := getExistingPVIfAny(pvLister, pv)
|
||||
|
|
@ -247,6 +257,11 @@ func createPVNew(pv kyverno.ClusterPolicyViolation, pvLister kyvernolister.Clust
|
|||
if ePV == nil {
|
||||
// Create a New PV
|
||||
glog.V(4).Infof("creating new policy violation for policy %s & resource %s/%s/%s", pv.Spec.Policy, pv.Spec.ResourceSpec.Kind, pv.Spec.ResourceSpec.Namespace, pv.Spec.ResourceSpec.Name)
|
||||
err := retryGetResource(dclient, pv.Spec.ResourceSpec)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
_, err = pvInterface.ClusterPolicyViolations().Create(&pv)
|
||||
if err != nil {
|
||||
glog.Error(err)
|
||||
|
|
|
|||
|
|
@ -93,7 +93,7 @@ func buildNamespacedPVWithOwner(dclient *dclient.Client, info Info) (pvs []kyver
|
|||
return
|
||||
}
|
||||
|
||||
func createNamespacedPV(pvLister kyvernolister.NamespacedPolicyViolationLister, pvInterface kyvernov1alpha1.KyvernoV1alpha1Interface, pvs []kyverno.NamespacedPolicyViolation) {
|
||||
func createNamespacedPV(dclient *dclient.Client, pvLister kyvernolister.NamespacedPolicyViolationLister, pvInterface kyvernov1alpha1.KyvernoV1alpha1Interface, pvs []kyverno.NamespacedPolicyViolation) error {
|
||||
for _, newPv := range pvs {
|
||||
glog.V(4).Infof("creating namespaced policyViolation resource for policy %s and resource %s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.ToKey())
|
||||
// check if there was a previous policy voilation for policy & resource combination
|
||||
|
|
@ -103,17 +103,21 @@ func createNamespacedPV(pvLister kyvernolister.NamespacedPolicyViolationLister,
|
|||
continue
|
||||
}
|
||||
|
||||
if curPv == nil {
|
||||
// no existing policy violation, create a new one
|
||||
if reflect.DeepEqual(curPv, kyverno.NamespacedPolicyViolation{}) {
|
||||
glog.V(4).Infof("creating new namespaced policy violation for policy %s & resource %s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.ToKey())
|
||||
// no existing policy violation, create a new one
|
||||
_, err := pvInterface.NamespacedPolicyViolations(newPv.Spec.ResourceSpec.Namespace).Create(&newPv)
|
||||
if err != nil {
|
||||
glog.Error(err)
|
||||
} else {
|
||||
glog.Infof("namespaced policy violation created for resource %s", newPv.Spec.ResourceSpec.ToKey())
|
||||
|
||||
if err := retryGetResource(dclient, newPv.Spec.ResourceSpec); err != nil {
|
||||
return err
|
||||
}
|
||||
continue
|
||||
|
||||
if _, err := pvInterface.NamespacedPolicyViolations(newPv.Spec.ResourceSpec.Namespace).Create(&newPv); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
glog.Infof("namespaced policy violation created for resource %s", newPv.Spec.ResourceSpec.ToKey())
|
||||
}
|
||||
|
||||
// compare the policyviolation spec for existing resource if present else
|
||||
if reflect.DeepEqual(curPv.Spec, newPv.Spec) {
|
||||
// if they are equal there has been no change so dont update the polivy violation
|
||||
|
|
@ -125,27 +129,26 @@ func createNamespacedPV(pvLister kyvernolister.NamespacedPolicyViolationLister,
|
|||
glog.V(4).Infof("creating new policy violation for policy %s & resource %s", curPv.Spec.Policy, curPv.Spec.ResourceSpec.ToKey())
|
||||
//TODO: using a generic name, but would it be helpful to have naming convention for policy violations
|
||||
// as we can only have one policy violation for each (policy + resource) combination
|
||||
_, err = pvInterface.NamespacedPolicyViolations(newPv.Spec.ResourceSpec.Namespace).Update(&newPv)
|
||||
if err != nil {
|
||||
glog.Error(err)
|
||||
continue
|
||||
if _, err = pvInterface.NamespacedPolicyViolations(newPv.Spec.ResourceSpec.Namespace).Update(&newPv); err != nil {
|
||||
return err
|
||||
}
|
||||
glog.Infof("namespaced policy violation updated for resource %s", newPv.Spec.ResourceSpec.ToKey())
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func getExistingNamespacedPVIfAny(nspvLister kyvernolister.NamespacedPolicyViolationLister, newPv kyverno.NamespacedPolicyViolation) (*kyverno.NamespacedPolicyViolation, error) {
|
||||
func getExistingNamespacedPVIfAny(nspvLister kyvernolister.NamespacedPolicyViolationLister, newPv kyverno.NamespacedPolicyViolation) (kyverno.NamespacedPolicyViolation, error) {
|
||||
// TODO(shuting): list pvs by labels
|
||||
pvs, err := nspvLister.List(labels.NewSelector())
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to list namespaced policy violations err: %v", err)
|
||||
return kyverno.NamespacedPolicyViolation{}, fmt.Errorf("failed to list namespaced policy violations err: %v", err)
|
||||
}
|
||||
|
||||
for _, pv := range pvs {
|
||||
if pv.Spec.Policy == newPv.Spec.Policy && reflect.DeepEqual(pv.Spec.ResourceSpec, newPv.Spec.ResourceSpec) {
|
||||
return pv, nil
|
||||
return *pv, nil
|
||||
}
|
||||
}
|
||||
|
||||
return nil, nil
|
||||
return kyverno.NamespacedPolicyViolation{}, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -226,7 +226,7 @@ func (pvc *NamespacedPolicyViolationController) syncActiveResource(curPv *kyvern
|
|||
// check if the resource is active or not ?
|
||||
rspec := curPv.Spec.ResourceSpec
|
||||
// get resource
|
||||
err := retryGetResource(pvc.client, rspec)
|
||||
_, err := pvc.client.GetResource(rspec.Kind, rspec.Namespace, rspec.Name)
|
||||
if errors.IsNotFound(err) {
|
||||
// TODO: does it help to retry?
|
||||
// resource is not found
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue