mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-01-20 18:52:16 +00:00
Code Activity

feat: add lazy loading feature flag (#7680)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-06-27 07:44:15 +02:00 committed by GitHub
parent b4d2aae776
commit 441641515a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
18 changed files with 68 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
charts/kyverno/README.md
View file

@ -298,6 +298,7 @@ The chart values are organised per component.
| features.backgroundScan.backgroundScanInterval | string | `"1h"` | Background scan interval | | features.backgroundScan.backgroundScanInterval | string | `"1h"` | Background scan interval |
| features.backgroundScan.skipResourceFilters | bool | `true` | Skips resource filters in background scan | | features.backgroundScan.skipResourceFilters | bool | `true` | Skips resource filters in background scan |
| features.configMapCaching.enabled | bool | `true` | Enables the feature | | features.configMapCaching.enabled | bool | `true` | Enables the feature |
| features.deferredLoading.enabled | bool | `true` | Enables the feature |
| features.dumpPayload.enabled | bool | `false` | Enables the feature | | features.dumpPayload.enabled | bool | `false` | Enables the feature |
| features.forceFailurePolicyIgnore.enabled | bool | `false` | Enables the feature | | features.forceFailurePolicyIgnore.enabled | bool | `false` | Enables the feature |
| features.logging.format | string | `"text"` | Logging format | | features.logging.format | string | `"text"` | Logging format |

3
charts/kyverno/templates/_helpers.tpl
View file

@ -28,6 +28,9 @@
{{- with .configMapCaching -}} {{- with .configMapCaching -}}
{{- $flags = append $flags (print "--enableConfigMapCaching=" .enabled) -}} {{- $flags = append $flags (print "--enableConfigMapCaching=" .enabled) -}}
{{- end -}} {{- end -}}
{{- with .deferredLoading -}}
{{- $flags = append $flags (print "--enableDeferredLoading=" .enabled) -}}
{{- end -}}
{{- with .dumpPayload -}} {{- with .dumpPayload -}}
{{- $flags = append $flags (print "--dumpPayload=" .enabled) -}} {{- $flags = append $flags (print "--dumpPayload=" .enabled) -}}
{{- end -}} {{- end -}}

1
charts/kyverno/templates/admission-controller/deployment.yaml
View file

@ -155,6 +155,7 @@ spec:
"admissionReports" "admissionReports"
"autoUpdateWebhooks" "autoUpdateWebhooks"
"configMapCaching" "configMapCaching"
"deferredLoading"
"dumpPayload" "dumpPayload"
"forceFailurePolicyIgnore" "forceFailurePolicyIgnore"
"logging" "logging"

1
charts/kyverno/templates/background-controller/deployment.yaml
View file

@ -109,6 +109,7 @@ spec:
{{- end }} {{- end }}
{{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.backgroundController.featuresOverride) {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.backgroundController.featuresOverride)
"configMapCaching" "configMapCaching"
"deferredLoading"
"logging" "logging"
"omitEvents" "omitEvents"
"policyExceptions" "policyExceptions"

1
charts/kyverno/templates/cleanup-controller/deployment.yaml
View file

@ -106,6 +106,7 @@ spec:
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.cleanupController.featuresOverride) {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.cleanupController.featuresOverride)
"deferredLoading"
"dumpPayload" "dumpPayload"
"logging" "logging"
) | nindent 12 }} ) | nindent 12 }}

1
charts/kyverno/templates/reports-controller/deployment.yaml
View file

@ -112,6 +112,7 @@ spec:
"aggregateReports" "aggregateReports"
"backgroundScan" "backgroundScan"
"configMapCaching" "configMapCaching"
"deferredLoading"
"logging" "logging"
"omitEvents" "omitEvents"
"policyExceptions" "policyExceptions"

3
charts/kyverno/values.yaml
View file

@ -349,6 +349,9 @@ features:
configMapCaching: configMapCaching:
# -- Enables the feature # -- Enables the feature
enabled: true enabled: true
deferredLoading:
# -- Enables the feature
enabled: true
dumpPayload: dumpPayload:
# -- Enables the feature # -- Enables the feature
enabled: false enabled: false

1
cmd/background-controller/main.go
View file

@ -99,6 +99,7 @@ func main() {
internal.WithKubeconfig(), internal.WithKubeconfig(),
internal.WithPolicyExceptions(), internal.WithPolicyExceptions(),
internal.WithConfigMapCaching(), internal.WithConfigMapCaching(),
internal.WithDeferredLoading(),
internal.WithRegistryClient(), internal.WithRegistryClient(),
internal.WithLeaderElection(), internal.WithLeaderElection(),
internal.WithKyvernoClient(), internal.WithKyvernoClient(),

1
cmd/cleanup-controller/main.go
View file

@ -67,6 +67,7 @@ func main() {
internal.WithKyvernoClient(), internal.WithKyvernoClient(),
internal.WithKyvernoDynamicClient(), internal.WithKyvernoDynamicClient(),
internal.WithConfigMapCaching(), internal.WithConfigMapCaching(),
internal.WithDeferredLoading(),
internal.WithFlagSets(flagset), internal.WithFlagSets(flagset),
) )
// parse flags // parse flags

12
cmd/internal/config.go
View file

@ -11,6 +11,7 @@ type Configuration interface {
UsesKubeconfig() bool UsesKubeconfig() bool
UsesPolicyExceptions() bool UsesPolicyExceptions() bool
UsesConfigMapCaching() bool UsesConfigMapCaching() bool
UsesDeferredLoading() bool
UsesCosign() bool UsesCosign() bool
UsesRegistryClient() bool UsesRegistryClient() bool
UsesLeaderElection() bool UsesLeaderElection() bool
@ -68,6 +69,12 @@ func WithConfigMapCaching() ConfigurationOption {
} }
} }
func WithDeferredLoading() ConfigurationOption {
return func(c *configuration) {
c.usesDeferredLoading = true
}
}
func WithCosign() ConfigurationOption { func WithCosign() ConfigurationOption {
return func(c *configuration) { return func(c *configuration) {
c.usesCosign = true c.usesCosign = true
@ -131,6 +138,7 @@ type configuration struct {
usesKubeconfig bool usesKubeconfig bool
usesPolicyExceptions bool usesPolicyExceptions bool
usesConfigMapCaching bool usesConfigMapCaching bool
usesDeferredLoading bool
usesCosign bool usesCosign bool
usesRegistryClient bool usesRegistryClient bool
usesLeaderElection bool usesLeaderElection bool
@ -166,6 +174,10 @@ func (c *configuration) UsesConfigMapCaching() bool {
return c.usesConfigMapCaching return c.usesConfigMapCaching
} }
func (c *configuration) UsesDeferredLoading() bool {
return c.usesDeferredLoading
}
func (c *configuration) UsesCosign() bool { func (c *configuration) UsesCosign() bool {
return c.usesCosign return c.usesCosign
} }

9
cmd/internal/flag.go
View file

@ -7,6 +7,7 @@ import (
"github.com/go-logr/logr" "github.com/go-logr/logr"
"github.com/kyverno/kyverno/pkg/leaderelection" "github.com/kyverno/kyverno/pkg/leaderelection"
"github.com/kyverno/kyverno/pkg/logging" "github.com/kyverno/kyverno/pkg/logging"
"github.com/kyverno/kyverno/pkg/toggle"
) )
var ( var (
@ -87,6 +88,10 @@ func initConfigMapCachingFlags() {
flag.BoolVar(&enableConfigMapCaching, "enableConfigMapCaching", true, "Enable config maps caching.") flag.BoolVar(&enableConfigMapCaching, "enableConfigMapCaching", true, "Enable config maps caching.")
} }
func initDeferredLoadingFlags() {
flag.Func(toggle.EnableDeferredLoadingFlagName, toggle.EnableDeferredLoadingDescription, toggle.EnableDeferredLoading.Parse)
}
func initCosignFlags() { func initCosignFlags() {
flag.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "(DEPRECATED, will be removed in 1.12) Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.") flag.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "(DEPRECATED, will be removed in 1.12) Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.")
} }
@ -160,6 +165,10 @@ func initFlags(config Configuration, opts ...Option) {
if config.UsesConfigMapCaching() { if config.UsesConfigMapCaching() {
initConfigMapCachingFlags() initConfigMapCachingFlags()
} }
// deferred loading
if config.UsesDeferredLoading() {
initDeferredLoadingFlags()
}
// cosign // cosign
if config.UsesCosign() { if config.UsesCosign() {
initCosignFlags() initCosignFlags()

1
cmd/kyverno/main.go
View file

@ -212,6 +212,7 @@ func main() {
internal.WithKubeconfig(), internal.WithKubeconfig(),
internal.WithPolicyExceptions(), internal.WithPolicyExceptions(),
internal.WithConfigMapCaching(), internal.WithConfigMapCaching(),
internal.WithDeferredLoading(),
internal.WithCosign(), internal.WithCosign(),
internal.WithRegistryClient(), internal.WithRegistryClient(),
internal.WithLeaderElection(), internal.WithLeaderElection(),

1
cmd/reports-controller/main.go
View file

@ -189,6 +189,7 @@ func main() {
internal.WithKubeconfig(), internal.WithKubeconfig(),
internal.WithPolicyExceptions(), internal.WithPolicyExceptions(),
internal.WithConfigMapCaching(), internal.WithConfigMapCaching(),
internal.WithDeferredLoading(),
internal.WithCosign(), internal.WithCosign(),
internal.WithRegistryClient(), internal.WithRegistryClient(),
internal.WithLeaderElection(), internal.WithLeaderElection(),

4
config/install-latest-testing.yaml
View file

@ -38799,6 +38799,7 @@ spec:
- --admissionReports=true - --admissionReports=true
- --autoUpdateWebhooks=true - --autoUpdateWebhooks=true
- --enableConfigMapCaching=true - --enableConfigMapCaching=true
- --enableDeferredLoading=true
- --dumpPayload=false - --dumpPayload=false
- --forceFailurePolicyIgnore=false - --forceFailurePolicyIgnore=false
- --loggingFormat=text - --loggingFormat=text
@ -38945,6 +38946,7 @@ spec:
- --otelConfig=prometheus - --otelConfig=prometheus
- --metricsPort=8000 - --metricsPort=8000
- --enableConfigMapCaching=true - --enableConfigMapCaching=true
- --enableDeferredLoading=true
- --loggingFormat=text - --loggingFormat=text
- --v=2 - --v=2
- --enablePolicyException=false - --enablePolicyException=false
@ -39041,6 +39043,7 @@ spec:
- --disableMetrics=false - --disableMetrics=false
- --otelConfig=prometheus - --otelConfig=prometheus
- --metricsPort=8000 - --metricsPort=8000
- --enableDeferredLoading=true
- --dumpPayload=false - --dumpPayload=false
- --loggingFormat=text - --loggingFormat=text
- --v=2 - --v=2
@ -39173,6 +39176,7 @@ spec:
- --backgroundScanInterval=1h - --backgroundScanInterval=1h
- --skipResourceFilters=true - --skipResourceFilters=true
- --enableConfigMapCaching=true - --enableConfigMapCaching=true
- --enableDeferredLoading=true
- --loggingFormat=text - --loggingFormat=text
- --v=2 - --v=2
- --enablePolicyException=false - --enablePolicyException=false

3
pkg/engine/context/loaders/apicall.go
View file

@ -49,17 +49,14 @@ func (a *apiLoader) LoadData() error {
if err != nil { if err != nil {
return fmt.Errorf("failed to initiaize APICal: %w", err) return fmt.Errorf("failed to initiaize APICal: %w", err)
} }
if a.data == nil { if a.data == nil {
var err error var err error
if a.data, err = executor.Fetch(a.ctx); err != nil { if a.data, err = executor.Fetch(a.ctx); err != nil {
return fmt.Errorf("failed to fetch data for APICall: %w", err) return fmt.Errorf("failed to fetch data for APICall: %w", err)
} }
} }
if _, err := executor.Store(a.data); err != nil { if _, err := executor.Store(a.data); err != nil {
return fmt.Errorf("failed to store data for APICall: %w", err) return fmt.Errorf("failed to store data for APICall: %w", err)
} }
return nil return nil
} }

16
pkg/engine/factories/contextloaderfactory.go
View file

@ -11,6 +11,7 @@ import (
"github.com/kyverno/kyverno/pkg/engine/context/loaders" "github.com/kyverno/kyverno/pkg/engine/context/loaders"
"github.com/kyverno/kyverno/pkg/engine/jmespath" "github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/logging" "github.com/kyverno/kyverno/pkg/logging"
"github.com/kyverno/kyverno/pkg/toggle"
) )
type ContextLoaderFactoryOptions func(*contextLoader) type ContextLoaderFactoryOptions func(*contextLoader)
@ -54,20 +55,24 @@ func (l *contextLoader) Load(
} }
} }
for _, entry := range contextEntries { for _, entry := range contextEntries {
deferredLoader, err := l.newDeferredLoader(ctx, jp, client, rclientFactory, entry, jsonContext) loader, err := l.newLoader(ctx, jp, client, rclientFactory, entry, jsonContext)
if err != nil { if err != nil {
return fmt.Errorf("failed to create deferred loader for context entry %s", entry.Name) return fmt.Errorf("failed to create deferred loader for context entry %s", entry.Name)
} }
if deferredLoader != nil { if loader != nil {
if err := jsonContext.AddDeferredLoader(entry.Name, deferredLoader); err != nil { if toggle.FromContext(ctx).EnableDeferredLoading() {
return err if err := jsonContext.AddDeferredLoader(entry.Name, loader); err != nil {
return err
}
} else {
return loader.LoadData()
} }
} }
} }
return nil return nil
} }
func (l *contextLoader) newDeferredLoader( func (l *contextLoader) newLoader(
ctx context.Context, ctx context.Context,
jp jmespath.Interface, jp jmespath.Interface,
client engineapi.RawClient, client engineapi.RawClient,
@ -103,6 +108,5 @@ func (l *contextLoader) newDeferredLoader(
l := loaders.NewVariableLoader(l.logger, entry, jsonContext, jp) l := loaders.NewVariableLoader(l.logger, entry, jsonContext, jp)
return l, nil return l, nil
} }
return nil, fmt.Errorf("missing ConfigMap|APICall|ImageRegistry|Variable in context entry %s", entry.Name) return nil, fmt.Errorf("missing ConfigMap|APICall|ImageRegistry|Variable in context entry %s", entry.Name)
} }

14
pkg/toggle/context.go
View file

@ -9,6 +9,7 @@ var defaults Toggles = defaultToggles{}
type Toggles interface { type Toggles interface {
ProtectManagedResources() bool ProtectManagedResources() bool
ForceFailurePolicyIgnore() bool ForceFailurePolicyIgnore() bool
EnableDeferredLoading() bool
} }
type defaultToggles struct{} type defaultToggles struct{}
@ -21,15 +22,24 @@ func (defaultToggles) ForceFailurePolicyIgnore() bool {
return ForceFailurePolicyIgnore.enabled() return ForceFailurePolicyIgnore.enabled()
} }
func (defaultToggles) EnableDeferredLoading() bool {
return EnableDeferredLoading.enabled()
}
type contextKey struct{} type contextKey struct{}
func NewContext(ctx context.Context, toggles Toggles) context.Context { func NewContext(ctx context.Context, toggles Toggles) context.Context {
if ctx == nil {
return nil
}
return context.WithValue(ctx, contextKey{}, toggles) return context.WithValue(ctx, contextKey{}, toggles)
} }
func FromContext(ctx context.Context) Toggles { func FromContext(ctx context.Context) Toggles {
if toggles, ok := ctx.Value(contextKey{}).(Toggles); ok { if ctx != nil {
return toggles if toggles, ok := ctx.Value(contextKey{}).(Toggles); ok {
return toggles
}
} }
return defaults return defaults
} }

6
pkg/toggle/toggle.go
View file

@ -16,11 +16,17 @@ const (
ForceFailurePolicyIgnoreDescription = "Set the flag to 'true', to force set Failure Policy to 'ignore'." ForceFailurePolicyIgnoreDescription = "Set the flag to 'true', to force set Failure Policy to 'ignore'."
forceFailurePolicyIgnoreEnvVar = "FLAG_FORCE_FAILURE_POLICY_IGNORE" forceFailurePolicyIgnoreEnvVar = "FLAG_FORCE_FAILURE_POLICY_IGNORE"
defaultForceFailurePolicyIgnore = false defaultForceFailurePolicyIgnore = false
// enable deferred context loading
EnableDeferredLoadingFlagName = "enableDeferredLoading"
EnableDeferredLoadingDescription = "enable deferred loading of context variables"
enableDeferredLoadingEnvVar = "FLAG_ENABLE_DEFERRED_LOADING"
defaultEnableDeferredLoading = true
) )
var ( var (
ProtectManagedResources = newToggle(defaultProtectManagedResources, protectManagedResourcesEnvVar) ProtectManagedResources = newToggle(defaultProtectManagedResources, protectManagedResourcesEnvVar)
ForceFailurePolicyIgnore = newToggle(defaultForceFailurePolicyIgnore, forceFailurePolicyIgnoreEnvVar) ForceFailurePolicyIgnore = newToggle(defaultForceFailurePolicyIgnore, forceFailurePolicyIgnoreEnvVar)
EnableDeferredLoading = newToggle(defaultEnableDeferredLoading, enableDeferredLoadingEnvVar)
) )
type ToggleFlag interface { type ToggleFlag interface {