fix: webhooks reconciliation with policies (#11233)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2024-09-25 14:12:08 +02:00 · 2024-09-25 14:12:08 +02:00 · 3de1cb3f4f
commit 3de1cb3f4f
parent bfb00cffc8
3 changed files with 26 additions and 5 deletions
--- a/pkg/config/types.go
+++ b/pkg/config/types.go
@ -18,7 +18,7 @@ type WebhookConfig struct {
 }

 func parseWebhooks(in string) ([]WebhookConfig, error) {
-	webhookCfgs := make([]WebhookConfig, 0, 10)
+	var webhookCfgs []WebhookConfig
 	if err := json.Unmarshal([]byte(in), &webhookCfgs); err != nil {
 		return nil, err
 	}
--- a/pkg/controllers/webhook/controller.go
+++ b/pkg/controllers/webhook/controller.go
@ -48,6 +48,7 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/util/retry"
 	"k8s.io/client-go/util/workqueue"
+	"k8s.io/utils/ptr"
 )

 const (
@ -714,6 +715,7 @@ func (c *controller) buildVerifyMutatingWebhookConfiguration(_ context.Context,
 						"app.kubernetes.io/name": kyverno.ValueKyvernoApp,
 					},
 				},
+				MatchPolicy: ptr.To(admissionregistrationv1.Equivalent),
 			}},
 		},
 		nil
@ -737,6 +739,7 @@ func (c *controller) buildPolicyMutatingWebhookConfiguration(_ context.Context,
 				SideEffects:             &noneOnDryRun,
 				ReinvocationPolicy:      &ifNeeded,
 				AdmissionReviewVersions: []string{"v1"},
+				MatchPolicy:             ptr.To(admissionregistrationv1.Equivalent),
 			}},
 		},
 		nil
@ -759,6 +762,7 @@ func (c *controller) buildPolicyValidatingWebhookConfiguration(_ context.Context
 				TimeoutSeconds:          &c.defaultTimeout,
 				SideEffects:             &none,
 				AdmissionReviewVersions: []string{"v1"},
+				MatchPolicy:             ptr.To(admissionregistrationv1.Equivalent),
 			}},
 		},
 		nil
@ -786,6 +790,7 @@ func (c *controller) buildDefaultResourceMutatingWebhookConfiguration(_ context.
 				AdmissionReviewVersions: []string{"v1"},
 				TimeoutSeconds:          &c.defaultTimeout,
 				ReinvocationPolicy:      &ifNeeded,
+				MatchPolicy:             ptr.To(admissionregistrationv1.Equivalent),
 			}, {
 				Name:         config.MutatingWebhookName + "-fail",
 				ClientConfig: c.clientConfig(caBundle, config.MutatingWebhookServicePath+"/fail"),
@ -805,6 +810,7 @@ func (c *controller) buildDefaultResourceMutatingWebhookConfiguration(_ context.
 				AdmissionReviewVersions: []string{"v1"},
 				TimeoutSeconds:          &c.defaultTimeout,
 				ReinvocationPolicy:      &ifNeeded,
+				MatchPolicy:             ptr.To(admissionregistrationv1.Equivalent),
 			}},
 		},
 		nil
@ -871,6 +877,10 @@ func (c *controller) buildResourceMutatingWebhookConfiguration(ctx context.Conte

 func (c *controller) buildResourceMutatingWebhookRules(caBundle []byte, webhookCfg config.WebhookConfig, sideEffects *admissionregistrationv1.SideEffectClass, webhooks []*webhook, mapResourceToOpnType map[string][]admissionregistrationv1.OperationType) []admissionregistrationv1.MutatingWebhook {
 	var mutatingWebhooks []admissionregistrationv1.MutatingWebhook //nolint:prealloc
+	objectSelector := webhookCfg.ObjectSelector
+	if objectSelector == nil {
+		objectSelector = &metav1.LabelSelector{}
+	}
 	for _, webhook := range webhooks {
 		if webhook.isEmpty() {
 			continue
@ -888,10 +898,11 @@ func (c *controller) buildResourceMutatingWebhookRules(caBundle []byte, webhookC
 				SideEffects:             sideEffects,
 				AdmissionReviewVersions: []string{"v1"},
 				NamespaceSelector:       webhookCfg.NamespaceSelector,
-				ObjectSelector:          webhookCfg.ObjectSelector,
+				ObjectSelector:          objectSelector,
 				TimeoutSeconds:          &timeout,
 				ReinvocationPolicy:      &ifNeeded,
 				MatchConditions:         webhook.matchConditions,
+				MatchPolicy:             ptr.To(admissionregistrationv1.Equivalent),
 			},
 		)
 	}
@ -925,6 +936,7 @@ func (c *controller) buildDefaultResourceValidatingWebhookConfiguration(_ contex
 				SideEffects:             sideEffects,
 				AdmissionReviewVersions: []string{"v1"},
 				TimeoutSeconds:          &c.defaultTimeout,
+				MatchPolicy:             ptr.To(admissionregistrationv1.Equivalent),
 			}, {
 				Name:         config.ValidatingWebhookName + "-fail",
 				ClientConfig: c.clientConfig(caBundle, config.ValidatingWebhookServicePath+"/fail"),
@ -945,6 +957,7 @@ func (c *controller) buildDefaultResourceValidatingWebhookConfiguration(_ contex
 				SideEffects:             sideEffects,
 				AdmissionReviewVersions: []string{"v1"},
 				TimeoutSeconds:          &c.defaultTimeout,
+				MatchPolicy:             ptr.To(admissionregistrationv1.Equivalent),
 			}},
 		},
 		nil
@ -1047,6 +1060,10 @@ func (c *controller) buildResourceValidatingWebhookConfiguration(ctx context.Con

 func (c *controller) buildResourceValidatingWebhookRules(caBundle []byte, webhookCfg config.WebhookConfig, sideEffects *admissionregistrationv1.SideEffectClass, webhooks []*webhook, mapResourceToOpnType map[string][]admissionregistrationv1.OperationType) []admissionregistrationv1.ValidatingWebhook {
 	var validatingWebhooks []admissionregistrationv1.ValidatingWebhook //nolint:prealloc
+	objectSelector := webhookCfg.ObjectSelector
+	if objectSelector == nil {
+		objectSelector = &metav1.LabelSelector{}
+	}
 	for _, webhook := range webhooks {
 		if webhook.isEmpty() {
 			continue
@ -1064,9 +1081,10 @@ func (c *controller) buildResourceValidatingWebhookRules(caBundle []byte, webhoo
 				SideEffects:             sideEffects,
 				AdmissionReviewVersions: []string{"v1"},
 				NamespaceSelector:       webhookCfg.NamespaceSelector,
-				ObjectSelector:          webhookCfg.ObjectSelector,
+				ObjectSelector:          objectSelector,
 				TimeoutSeconds:          &timeout,
 				MatchConditions:         webhook.matchConditions,
+				MatchPolicy:             ptr.To(admissionregistrationv1.Equivalent),
 			},
 		)
 	}
--- a/pkg/controllers/webhook/utils.go
+++ b/pkg/controllers/webhook/utils.go
@ -108,6 +108,9 @@ func (wh *webhook) buildRulesWithOperations(final map[string][]admissionregistra
 		}
 		rules = append(rules, ruleforset...)
 	}
+	for _, rule := range rules {
+		slices.Sort(rule.Resources)
+	}
 	less := func(a []string, b []string) (int, bool) {
 		if x := cmp.Compare(len(a), len(b)); x != 0 {
 			return x, true
@ -140,7 +143,7 @@ func (wh *webhook) buildRulesWithOperations(final map[string][]admissionregistra
 func appendResourceInRule(resource sets.Set[string], operations []admissionregistrationv1.OperationType, ruleforset []admissionregistrationv1.RuleWithOperations) ([]admissionregistrationv1.RuleWithOperations, bool) {
 	for i, rule := range ruleforset {
 		if reflect.DeepEqual(rule.Operations, operations) {
-			ruleforset[i].Rule.Resources = append(rule.Rule.Resources, resource.UnsortedList()...)
+			ruleforset[i].Rule.Resources = append(rule.Rule.Resources, sets.List(resource)...)
 			return ruleforset, true
 		}
 	}
@ -335,7 +338,7 @@ func mergeOperations(operationStatusMap map[string]bool, currentOps []admissionr
 		}
 	}
 	result := sets.New(currentOps...).Insert(operationReq...)
-	return result.UnsortedList()
+	return sets.List(result)
 }

 func getOperationStatusMap() map[string]bool {