mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 12:17:56 +00:00
fix: use webhook object instead of a list (#11516)
* fix: use webhook object instead of a list Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * chore: add changelog Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
parent
918f21c8cc
commit
5106d5227b
8 changed files with 31 additions and 42 deletions
|
@ -35,6 +35,8 @@ annotations:
|
||||||
artifacthub.io/changes: |
|
artifacthub.io/changes: |
|
||||||
- kind: fixed
|
- kind: fixed
|
||||||
description: switch to post-delete helm hook to clean up Kyverno configmap
|
description: switch to post-delete helm hook to clean up Kyverno configmap
|
||||||
|
- kind: fixed
|
||||||
|
description: modify config.webhooks to be as a single object instead of a list of webhooks.
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: grafana
|
- name: grafana
|
||||||
version: v0.0.0
|
version: v0.0.0
|
||||||
|
|
|
@ -296,7 +296,7 @@ The chart values are organised per component.
|
||||||
| config.generateSuccessEvents | bool | `false` | Generate success events. |
|
| config.generateSuccessEvents | bool | `false` | Generate success events. |
|
||||||
| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
|
| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
|
||||||
| config.updateRequestThreshold | int | `1000` | Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies. |
|
| config.updateRequestThreshold | int | `1000` | Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies. |
|
||||||
| config.webhooks | list | `[{"namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]}]}}]` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
|
| config.webhooks | object | `{"namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]}]}}` | Defines the `namespaceSelector`/`objectSelector` in the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
|
||||||
| config.webhookAnnotations | object | `{"admissions.enforcer/disabled":"true"}` | Defines annotations to set on webhook configurations. |
|
| config.webhookAnnotations | object | `{"admissions.enforcer/disabled":"true"}` | Defines annotations to set on webhook configurations. |
|
||||||
| config.webhookLabels | object | `{}` | Defines labels to set on webhook configurations. |
|
| config.webhookLabels | object | `{}` | Defines labels to set on webhook configurations. |
|
||||||
| config.matchConditions | list | `[]` | Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+). |
|
| config.matchConditions | list | `[]` | Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+). |
|
||||||
|
|
|
@ -56,13 +56,11 @@
|
||||||
|
|
||||||
{{- define "kyverno.config.webhooks" -}}
|
{{- define "kyverno.config.webhooks" -}}
|
||||||
{{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }}
|
{{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }}
|
||||||
{{- $newWebhook := list }}
|
{{- $webhook := .Values.config.webhooks }}
|
||||||
{{- range $webhook := .Values.config.webhooks }}
|
{{- $namespaceSelector := default dict $webhook.namespaceSelector }}
|
||||||
{{- $namespaceSelector := default dict $webhook.namespaceSelector }}
|
{{- $matchExpressions := default list $namespaceSelector.matchExpressions }}
|
||||||
{{- $matchExpressions := default list $namespaceSelector.matchExpressions }}
|
{{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }}
|
||||||
{{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }}
|
{{- $newWebhook := merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector) }}
|
||||||
{{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- $newWebhook | toJson }}
|
{{- $newWebhook | toJson }}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
|
|
@ -320,18 +320,16 @@ config:
|
||||||
# -- Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies.
|
# -- Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies.
|
||||||
updateRequestThreshold: 1000
|
updateRequestThreshold: 1000
|
||||||
|
|
||||||
# -- Defines the `namespaceSelector` in the webhook configurations.
|
# -- Defines the `namespaceSelector`/`objectSelector` in the webhook configurations.
|
||||||
# Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element
|
|
||||||
# will be forwarded to the webhook configurations.
|
|
||||||
# The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)
|
# The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)
|
||||||
webhooks:
|
webhooks:
|
||||||
# Exclude namespaces
|
# Exclude namespaces
|
||||||
- namespaceSelector:
|
namespaceSelector:
|
||||||
matchExpressions:
|
matchExpressions:
|
||||||
- key: kubernetes.io/metadata.name
|
- key: kubernetes.io/metadata.name
|
||||||
operator: NotIn
|
operator: NotIn
|
||||||
values:
|
values:
|
||||||
- kube-system
|
- kube-system
|
||||||
# Exclude objects
|
# Exclude objects
|
||||||
# - objectSelector:
|
# - objectSelector:
|
||||||
# matchExpressions:
|
# matchExpressions:
|
||||||
|
|
|
@ -175,7 +175,7 @@ data:
|
||||||
[Secret,kyverno,kyverno-svc.kyverno.svc.*]
|
[Secret,kyverno,kyverno-svc.kyverno.svc.*]
|
||||||
[Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*]
|
[Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*]
|
||||||
updateRequestThreshold: "1000"
|
updateRequestThreshold: "1000"
|
||||||
webhooks: "[{\"namespaceSelector\":{\"matchExpressions\":[{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kube-system\"]},{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kyverno\"]}],\"matchLabels\":null}}]"
|
webhooks: "{\"namespaceSelector\":{\"matchExpressions\":[{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kube-system\"]},{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kyverno\"]}],\"matchLabels\":null}}"
|
||||||
webhookAnnotations: "{\"admissions.enforcer/disabled\":\"true\"}"
|
webhookAnnotations: "{\"admissions.enforcer/disabled\":\"true\"}"
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
|
|
|
@ -174,8 +174,8 @@ type Configuration interface {
|
||||||
ToFilter(kind schema.GroupVersionKind, subresource, namespace, name string) bool
|
ToFilter(kind schema.GroupVersionKind, subresource, namespace, name string) bool
|
||||||
// GetGenerateSuccessEvents return if should generate success events
|
// GetGenerateSuccessEvents return if should generate success events
|
||||||
GetGenerateSuccessEvents() bool
|
GetGenerateSuccessEvents() bool
|
||||||
// GetWebhooks returns the webhook configs
|
// GetWebhook returns the webhook config
|
||||||
GetWebhooks() []WebhookConfig
|
GetWebhook() WebhookConfig
|
||||||
// GetWebhookAnnotations returns annotations to set on webhook configs
|
// GetWebhookAnnotations returns annotations to set on webhook configs
|
||||||
GetWebhookAnnotations() map[string]string
|
GetWebhookAnnotations() map[string]string
|
||||||
// GetWebhookLabels returns labels to set on webhook configs
|
// GetWebhookLabels returns labels to set on webhook configs
|
||||||
|
@ -199,7 +199,7 @@ type configuration struct {
|
||||||
inclusions match
|
inclusions match
|
||||||
filters []filter
|
filters []filter
|
||||||
generateSuccessEvents bool
|
generateSuccessEvents bool
|
||||||
webhooks []WebhookConfig
|
webhook WebhookConfig
|
||||||
webhookAnnotations map[string]string
|
webhookAnnotations map[string]string
|
||||||
webhookLabels map[string]string
|
webhookLabels map[string]string
|
||||||
matchConditions []admissionregistrationv1.MatchCondition
|
matchConditions []admissionregistrationv1.MatchCondition
|
||||||
|
@ -310,10 +310,10 @@ func (cd *configuration) GetGenerateSuccessEvents() bool {
|
||||||
return cd.generateSuccessEvents
|
return cd.generateSuccessEvents
|
||||||
}
|
}
|
||||||
|
|
||||||
func (cd *configuration) GetWebhooks() []WebhookConfig {
|
func (cd *configuration) GetWebhook() WebhookConfig {
|
||||||
cd.mux.RLock()
|
cd.mux.RLock()
|
||||||
defer cd.mux.RUnlock()
|
defer cd.mux.RUnlock()
|
||||||
return cd.webhooks
|
return cd.webhook
|
||||||
}
|
}
|
||||||
|
|
||||||
func (cd *configuration) GetWebhookAnnotations() map[string]string {
|
func (cd *configuration) GetWebhookAnnotations() map[string]string {
|
||||||
|
@ -364,7 +364,7 @@ func (cd *configuration) load(cm *corev1.ConfigMap) {
|
||||||
cd.inclusions = match{}
|
cd.inclusions = match{}
|
||||||
cd.filters = []filter{}
|
cd.filters = []filter{}
|
||||||
cd.generateSuccessEvents = false
|
cd.generateSuccessEvents = false
|
||||||
cd.webhooks = nil
|
cd.webhook = WebhookConfig{}
|
||||||
cd.webhookAnnotations = nil
|
cd.webhookAnnotations = nil
|
||||||
cd.webhookLabels = nil
|
cd.webhookLabels = nil
|
||||||
cd.matchConditions = nil
|
cd.matchConditions = nil
|
||||||
|
@ -451,11 +451,11 @@ func (cd *configuration) load(cm *corev1.ConfigMap) {
|
||||||
logger.Info("webhooks not set")
|
logger.Info("webhooks not set")
|
||||||
} else {
|
} else {
|
||||||
logger := logger.WithValues("webhooks", webhooks)
|
logger := logger.WithValues("webhooks", webhooks)
|
||||||
webhooks, err := parseWebhooks(webhooks)
|
webhook, err := parseWebhooks(webhooks)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Error(err, "failed to parse webhooks")
|
logger.Error(err, "failed to parse webhooks")
|
||||||
} else {
|
} else {
|
||||||
cd.webhooks = webhooks
|
cd.webhook = *webhook
|
||||||
logger.Info("webhooks configured")
|
logger.Info("webhooks configured")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -526,7 +526,7 @@ func (cd *configuration) unload() {
|
||||||
cd.inclusions = match{}
|
cd.inclusions = match{}
|
||||||
cd.filters = []filter{}
|
cd.filters = []filter{}
|
||||||
cd.generateSuccessEvents = false
|
cd.generateSuccessEvents = false
|
||||||
cd.webhooks = nil
|
cd.webhook = WebhookConfig{}
|
||||||
cd.webhookAnnotations = nil
|
cd.webhookAnnotations = nil
|
||||||
cd.webhookLabels = nil
|
cd.webhookLabels = nil
|
||||||
logger.Info("configuration unloaded")
|
logger.Info("configuration unloaded")
|
||||||
|
|
|
@ -17,12 +17,12 @@ type WebhookConfig struct {
|
||||||
ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty"`
|
ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func parseWebhooks(in string) ([]WebhookConfig, error) {
|
func parseWebhooks(in string) (*WebhookConfig, error) {
|
||||||
var webhookCfgs []WebhookConfig
|
var webhookCfg WebhookConfig
|
||||||
if err := json.Unmarshal([]byte(in), &webhookCfgs); err != nil {
|
if err := json.Unmarshal([]byte(in), &webhookCfg); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
return webhookCfgs, nil
|
return &webhookCfg, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func parseExclusions(in string) (exclusions, inclusions []string) {
|
func parseExclusions(in string) (exclusions, inclusions []string) {
|
||||||
|
|
|
@ -823,11 +823,7 @@ func (c *controller) buildResourceMutatingWebhookConfiguration(ctx context.Conte
|
||||||
Webhooks: []admissionregistrationv1.MutatingWebhook{},
|
Webhooks: []admissionregistrationv1.MutatingWebhook{},
|
||||||
}
|
}
|
||||||
if c.watchdogCheck() {
|
if c.watchdogCheck() {
|
||||||
webhookCfg := config.WebhookConfig{}
|
webhookCfg := cfg.GetWebhook()
|
||||||
webhookCfgs := cfg.GetWebhooks()
|
|
||||||
if len(webhookCfgs) > 0 {
|
|
||||||
webhookCfg = webhookCfgs[0]
|
|
||||||
}
|
|
||||||
ignoreWebhook := newWebhook(c.defaultTimeout, ignore, cfg.GetMatchConditions())
|
ignoreWebhook := newWebhook(c.defaultTimeout, ignore, cfg.GetMatchConditions())
|
||||||
failWebhook := newWebhook(c.defaultTimeout, fail, cfg.GetMatchConditions())
|
failWebhook := newWebhook(c.defaultTimeout, fail, cfg.GetMatchConditions())
|
||||||
policies, err := c.getAllPolicies()
|
policies, err := c.getAllPolicies()
|
||||||
|
@ -964,12 +960,7 @@ func (c *controller) buildResourceValidatingWebhookConfiguration(ctx context.Con
|
||||||
Webhooks: []admissionregistrationv1.ValidatingWebhook{},
|
Webhooks: []admissionregistrationv1.ValidatingWebhook{},
|
||||||
}
|
}
|
||||||
if c.watchdogCheck() {
|
if c.watchdogCheck() {
|
||||||
webhookCfg := config.WebhookConfig{}
|
webhookCfg := cfg.GetWebhook()
|
||||||
webhookCfgs := cfg.GetWebhooks()
|
|
||||||
if len(webhookCfgs) > 0 {
|
|
||||||
webhookCfg = webhookCfgs[0]
|
|
||||||
}
|
|
||||||
|
|
||||||
ignoreWebhook := newWebhook(c.defaultTimeout, ignore, cfg.GetMatchConditions())
|
ignoreWebhook := newWebhook(c.defaultTimeout, ignore, cfg.GetMatchConditions())
|
||||||
failWebhook := newWebhook(c.defaultTimeout, fail, cfg.GetMatchConditions())
|
failWebhook := newWebhook(c.defaultTimeout, fail, cfg.GetMatchConditions())
|
||||||
policies, err := c.getAllPolicies()
|
policies, err := c.getAllPolicies()
|
||||||
|
|
Loading…
Add table
Reference in a new issue