From 38ca9e702ea8a2fc5321b45d95ab32ea8eae4905 Mon Sep 17 00:00:00 2001 From: shuting Date: Fri, 17 Jun 2022 23:16:19 +0800 Subject: [PATCH] Release 1.6.3 (#4134) * fix: do not remove webhooks during initialization (#3641) * Do not remove webhooks during initialization During initialization the Kyverno leader Pod deletes all the existing webhooks and recreates them. There is a small time window were the cluster is not protected by the webhooks, allowing a user to apply resources without any verfication. This commit updates the leader registration logic to not remove and recreate the webhooks but, in the case that the webhooks already exist, update them. Signed-off-by: Ioannis Bouloumpasis * Fix linter errors Signed-off-by: Ioannis Bouloumpasis * Use the Lister to get webhook configurations Signed-off-by: Ioannis Bouloumpasis Signed-off-by: ShutingZhao * Tag v1.6.3 Signed-off-by: ShutingZhao Co-authored-by: Ioannis Bouloumpasis --- charts/kyverno-policies/Chart.yaml | 4 +- charts/kyverno/Chart.yaml | 4 +- charts/kyverno/templates/crds.yaml | 14 ++-- config/install.yaml | 68 ++++++++--------- config/release/install.yaml | 68 ++++++++--------- config/release/kustomization.yaml | 4 +- config/release/labels.yaml | 2 +- pkg/webhookconfig/registration.go | 115 +++++++++++++++++++++++++++-- 8 files changed, 192 insertions(+), 87 deletions(-) diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml index c7dcfd42d2..c6be390fd2 100644 --- a/charts/kyverno-policies/Chart.yaml +++ b/charts/kyverno-policies/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: kyverno-policies -version: v2.3.4 -appVersion: v1.6.2 +version: v2.3.5 +appVersion: v1.6.3 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Pod Security Standards implemented as Kyverno policies keywords: diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index 15703905b6..fedca00405 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: kyverno -version: v2.3.3 -appVersion: v1.6.2 +version: v2.3.4 +appVersion: v1.6.3 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Native Policy Management keywords: diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml index 4a8318140b..1772b77bbd 100644 --- a/charts/kyverno/templates/crds.yaml +++ b/charts/kyverno/templates/crds.yaml @@ -11,7 +11,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -1388,7 +1388,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -1880,7 +1880,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterreportchangerequests.kyverno.io spec: group: kyverno.io @@ -2372,7 +2372,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: generaterequests.kyverno.io spec: group: kyverno.io @@ -2553,7 +2553,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: policies.kyverno.io spec: group: kyverno.io @@ -3930,7 +3930,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -4422,7 +4422,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: reportchangerequests.kyverno.io spec: group: kyverno.io diff --git a/config/install.yaml b/config/install.yaml index 02dbc40824..b95855db02 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno --- apiVersion: apiextensions.k8s.io/v1 @@ -21,7 +21,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -2202,7 +2202,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -2882,7 +2882,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterreportchangerequests.kyverno.io spec: group: kyverno.io @@ -3562,7 +3562,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: generaterequests.kyverno.io spec: group: kyverno.io @@ -3759,7 +3759,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: policies.kyverno.io spec: group: kyverno.io @@ -5942,7 +5942,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -6620,7 +6620,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: reportchangerequests.kyverno.io spec: group: kyverno.io @@ -7298,7 +7298,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-service-account namespace: kyverno --- @@ -7311,7 +7311,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:leaderelection namespace: kyverno rules: @@ -7345,7 +7345,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policies rules: @@ -7372,7 +7372,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policyreport rules: @@ -7399,7 +7399,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-reportchangerequest rules: @@ -7426,7 +7426,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:events rules: - apiGroups: @@ -7448,7 +7448,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:generate rules: - apiGroups: @@ -7495,7 +7495,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:policies rules: - apiGroups: @@ -7546,7 +7546,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:userinfo rules: - apiGroups: @@ -7569,7 +7569,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:view rules: - apiGroups: @@ -7590,7 +7590,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:webhook rules: - apiGroups: @@ -7616,7 +7616,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:leaderelection namespace: kyverno roleRef: @@ -7637,7 +7637,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:events roleRef: apiGroup: rbac.authorization.k8s.io @@ -7657,7 +7657,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:generate roleRef: apiGroup: rbac.authorization.k8s.io @@ -7677,7 +7677,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:policies roleRef: apiGroup: rbac.authorization.k8s.io @@ -7697,7 +7697,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:userinfo roleRef: apiGroup: rbac.authorization.k8s.io @@ -7717,7 +7717,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:view roleRef: apiGroup: rbac.authorization.k8s.io @@ -7737,7 +7737,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:webhook roleRef: apiGroup: rbac.authorization.k8s.io @@ -7761,7 +7761,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno namespace: kyverno --- @@ -7777,7 +7777,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-metrics namespace: kyverno --- @@ -7790,7 +7790,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-svc namespace: kyverno spec: @@ -7811,7 +7811,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-svc-metrics namespace: kyverno spec: @@ -7832,7 +7832,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno namespace: kyverno spec: @@ -7854,7 +7854,7 @@ spec: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 spec: affinity: podAntiAffinity: @@ -7885,7 +7885,7 @@ spec: value: kyverno-svc - name: TUF_ROOT value: /.sigstore - image: ghcr.io/kyverno/kyverno:v1.6.2 + image: ghcr.io/kyverno/kyverno:v1.6.3 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 2 @@ -7940,7 +7940,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/kyverno/kyvernopre:v1.6.2 + image: ghcr.io/kyverno/kyvernopre:v1.6.3 imagePullPolicy: IfNotPresent name: kyverno-pre resources: diff --git a/config/release/install.yaml b/config/release/install.yaml index 02dbc40824..b95855db02 100755 --- a/config/release/install.yaml +++ b/config/release/install.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno --- apiVersion: apiextensions.k8s.io/v1 @@ -21,7 +21,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -2202,7 +2202,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -2882,7 +2882,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterreportchangerequests.kyverno.io spec: group: kyverno.io @@ -3562,7 +3562,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: generaterequests.kyverno.io spec: group: kyverno.io @@ -3759,7 +3759,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: policies.kyverno.io spec: group: kyverno.io @@ -5942,7 +5942,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -6620,7 +6620,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: reportchangerequests.kyverno.io spec: group: kyverno.io @@ -7298,7 +7298,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-service-account namespace: kyverno --- @@ -7311,7 +7311,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:leaderelection namespace: kyverno rules: @@ -7345,7 +7345,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policies rules: @@ -7372,7 +7372,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policyreport rules: @@ -7399,7 +7399,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-reportchangerequest rules: @@ -7426,7 +7426,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:events rules: - apiGroups: @@ -7448,7 +7448,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:generate rules: - apiGroups: @@ -7495,7 +7495,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:policies rules: - apiGroups: @@ -7546,7 +7546,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:userinfo rules: - apiGroups: @@ -7569,7 +7569,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:view rules: - apiGroups: @@ -7590,7 +7590,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:webhook rules: - apiGroups: @@ -7616,7 +7616,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:leaderelection namespace: kyverno roleRef: @@ -7637,7 +7637,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:events roleRef: apiGroup: rbac.authorization.k8s.io @@ -7657,7 +7657,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:generate roleRef: apiGroup: rbac.authorization.k8s.io @@ -7677,7 +7677,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:policies roleRef: apiGroup: rbac.authorization.k8s.io @@ -7697,7 +7697,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:userinfo roleRef: apiGroup: rbac.authorization.k8s.io @@ -7717,7 +7717,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:view roleRef: apiGroup: rbac.authorization.k8s.io @@ -7737,7 +7737,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:webhook roleRef: apiGroup: rbac.authorization.k8s.io @@ -7761,7 +7761,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno namespace: kyverno --- @@ -7777,7 +7777,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-metrics namespace: kyverno --- @@ -7790,7 +7790,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-svc namespace: kyverno spec: @@ -7811,7 +7811,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-svc-metrics namespace: kyverno spec: @@ -7832,7 +7832,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno namespace: kyverno spec: @@ -7854,7 +7854,7 @@ spec: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 spec: affinity: podAntiAffinity: @@ -7885,7 +7885,7 @@ spec: value: kyverno-svc - name: TUF_ROOT value: /.sigstore - image: ghcr.io/kyverno/kyverno:v1.6.2 + image: ghcr.io/kyverno/kyverno:v1.6.3 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 2 @@ -7940,7 +7940,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/kyverno/kyvernopre:v1.6.2 + image: ghcr.io/kyverno/kyvernopre:v1.6.3 imagePullPolicy: IfNotPresent name: kyverno-pre resources: diff --git a/config/release/kustomization.yaml b/config/release/kustomization.yaml index 8d13b59e32..07401ba638 100755 --- a/config/release/kustomization.yaml +++ b/config/release/kustomization.yaml @@ -9,6 +9,6 @@ transformers: images: - name: ghcr.io/kyverno/kyverno - newTag: v1.6.2 + newTag: v1.6.3 - name: ghcr.io/kyverno/kyvernopre - newTag: v1.6.2 + newTag: v1.6.3 diff --git a/config/release/labels.yaml b/config/release/labels.yaml index c34a8aa6a3..9122d512e5 100644 --- a/config/release/labels.yaml +++ b/config/release/labels.yaml @@ -4,7 +4,7 @@ kind: LabelTransformer metadata: name: labelTransformer labels: - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 fieldSpecs: - path: metadata/labels create: true diff --git a/pkg/webhookconfig/registration.go b/pkg/webhookconfig/registration.go index 32dbe2b8c4..95fb31d002 100644 --- a/pkg/webhookconfig/registration.go +++ b/pkg/webhookconfig/registration.go @@ -126,7 +126,6 @@ func (wrc *Register) Register() error { return err } } - wrc.removeWebhookConfigurations() caData := wrc.readCaData() if caData == nil { @@ -318,9 +317,12 @@ func (wrc *Register) createResourceMutatingWebhookConfiguration(caData []byte) e _, err := wrc.client.CreateResource("", kindMutating, "", *config, false) if errorsapi.IsAlreadyExists(err) { logger.V(6).Info("resource mutating webhook configuration already exists", "name", config.Name) + err = wrc.updateMutatingWebhookConfiguration(config) + if err != nil { + return err + } return nil } - if err != nil { logger.Error(err, "failed to create resource mutating webhook configuration", "name", config.Name) return err @@ -344,6 +346,10 @@ func (wrc *Register) createResourceValidatingWebhookConfiguration(caData []byte) _, err := wrc.client.CreateResource("", kindValidating, "", *config, false) if errorsapi.IsAlreadyExists(err) { logger.V(6).Info("resource validating webhook configuration already exists", "name", config.Name) + err = wrc.updateValidatingWebhookConfiguration(config) + if err != nil { + return err + } return nil } @@ -369,6 +375,10 @@ func (wrc *Register) createPolicyValidatingWebhookConfiguration(caData []byte) e if _, err := wrc.client.CreateResource("", kindValidating, "", *config, false); err != nil { if errorsapi.IsAlreadyExists(err) { wrc.log.V(6).Info("webhook already exists", "kind", kindValidating, "name", config.Name) + err = wrc.updateValidatingWebhookConfiguration(config) + if err != nil { + return err + } return nil } @@ -392,6 +402,10 @@ func (wrc *Register) createPolicyMutatingWebhookConfiguration(caData []byte) err if _, err := wrc.client.CreateResource("", kindMutating, "", *config, false); err != nil { if errorsapi.IsAlreadyExists(err) { wrc.log.V(6).Info("webhook already exists", "kind", kindMutating, "name", config.Name) + err = wrc.updateMutatingWebhookConfiguration(config) + if err != nil { + return err + } return nil } @@ -414,6 +428,10 @@ func (wrc *Register) createVerifyMutatingWebhookConfiguration(caData []byte) err if _, err := wrc.client.CreateResource("", kindMutating, "", *config, false); err != nil { if errorsapi.IsAlreadyExists(err) { wrc.log.V(6).Info("webhook already exists", "kind", kindMutating, "name", config.Name) + err = wrc.updateMutatingWebhookConfiguration(config) + if err != nil { + return err + } return nil } @@ -684,9 +702,6 @@ func (wrc *Register) checkEndpoint() error { } } - // clean up old webhook configurations, if any - wrc.removeWebhookConfigurations() - err = fmt.Errorf("endpoint not ready") wrc.log.V(3).Info(err.Error(), "ns", config.KyvernoNamespace, "name", config.KyvernoServiceName) return err @@ -851,3 +866,93 @@ func (wrc *Register) updateResourceMutatingWebhookConfiguration(nsSelector map[s return nil } + +// updateMutatingWebhookConfiguration updates an existing MutatingWebhookConfiguration with the rules provided by +// the targetConfig. If the targetConfig doesn't provide any rules, the existing rules will be preserved. +func (wrc *Register) updateMutatingWebhookConfiguration(targetConfig *admregapi.MutatingWebhookConfiguration) error { + // Fetch the existing webhook. + currentConfiguration, err := wrc.mwcLister.Get(targetConfig.Name) + if err != nil { + return fmt.Errorf("failed to get %s %s: %v", kindMutating, targetConfig.Name, err) + } + // Create a map of the target webhooks. + targetWebhooksMap := make(map[string]admregapi.MutatingWebhook) + for _, w := range targetConfig.Webhooks { + targetWebhooksMap[w.Name] = w + } + // Update the webhooks. + newWebhooks := make([]admregapi.MutatingWebhook, 0) + for _, w := range currentConfiguration.Webhooks { + target, exist := targetWebhooksMap[w.Name] + if !exist { + continue + } + delete(targetWebhooksMap, w.Name) + // Update the webhook configuration + w.ClientConfig.URL = target.ClientConfig.URL + w.ClientConfig.Service = target.ClientConfig.Service + w.ClientConfig.CABundle = target.ClientConfig.CABundle + if target.Rules != nil { + // If the target webhook has rule definitions override the current. + w.Rules = target.Rules + } + newWebhooks = append(newWebhooks, w) + } + // Check if there are additional webhooks defined and add them. + for _, w := range targetWebhooksMap { + newWebhooks = append(newWebhooks, w) + } + // Update the current configuration. + currentConfiguration.Webhooks = newWebhooks + _, err = wrc.client.UpdateResource("", kindMutating, "", currentConfiguration, false) + if err != nil { + return err + } + wrc.log.V(3).Info("successfully updated mutatingWebhookConfigurations", "name", targetConfig.Name) + return nil +} + +// updateValidatingWebhookConfiguration updates an existing ValidatingWebhookConfiguration with the rules provided by +// the targetConfig. If the targetConfig doesn't provide any rules, the existing rules will be preserved. +func (wrc *Register) updateValidatingWebhookConfiguration(targetConfig *admregapi.ValidatingWebhookConfiguration) error { + // Fetch the existing webhook. + currentConfiguration, err := wrc.vwcLister.Get(targetConfig.Name) + if err != nil { + return fmt.Errorf("failed to get %s %s: %v", kindValidating, targetConfig.Name, err) + } + // Create a map of the target webhooks. + targetWebhooksMap := make(map[string]admregapi.ValidatingWebhook) + for _, w := range targetConfig.Webhooks { + targetWebhooksMap[w.Name] = w + } + // Update the webhooks. + newWebhooks := make([]admregapi.ValidatingWebhook, 0) + for _, w := range currentConfiguration.Webhooks { + target, exist := targetWebhooksMap[w.Name] + if !exist { + continue + } + delete(targetWebhooksMap, w.Name) + // Update the webhook configuration + w.ClientConfig.URL = target.ClientConfig.URL + w.ClientConfig.Service = target.ClientConfig.Service + w.ClientConfig.CABundle = target.ClientConfig.CABundle + if target.Rules != nil { + // If the target webhook has rule definitions override the current. + w.Rules = target.Rules + } + newWebhooks = append(newWebhooks, w) + } + // Check if there are additional webhooks defined and add them. + for _, w := range targetWebhooksMap { + newWebhooks = append(newWebhooks, w) + } + // Update the current configuration. + currentConfiguration.Webhooks = newWebhooks + _, err = wrc.client.UpdateResource("", kindValidating, "", currentConfiguration, false) + if err != nil { + return err + } + wrc.log.V(3).Info("successfully updated validatingWebhookConfigurations", "name", targetConfig.Name) + return nil +}