mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-15 12:17:56 +00:00
Code Activity

fix: use webhook object instead of a list (#11516)

Browse source 
* fix: use webhook object instead of a list

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* chore: add changelog

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy 2024-11-04 12:19:35 +02:00 committed by GitHub
parent 918f21c8cc
commit 5106d5227b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 31 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
charts/kyverno/Chart.yaml
View file

@ -35,6 +35,8 @@ annotations:
artifacthub.io/changes: | artifacthub.io/changes: |
- kind: fixed - kind: fixed
description: switch to post-delete helm hook to clean up Kyverno configmap description: switch to post-delete helm hook to clean up Kyverno configmap
- kind: fixed
description: modify config.webhooks to be as a single object instead of a list of webhooks.
dependencies: dependencies:
- name: grafana - name: grafana
version: v0.0.0 version: v0.0.0

2
charts/kyverno/README.md
View file

@ -296,7 +296,7 @@ The chart values are organised per component.
| config.generateSuccessEvents | bool | `false` | Generate success events. | | config.generateSuccessEvents | bool | `false` | Generate success events. |
| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. | | config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
| config.updateRequestThreshold | int | `1000` | Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies. | | config.updateRequestThreshold | int | `1000` | Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies. |
| config.webhooks | list | `[{"namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]}]}}]` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) | | config.webhooks | object | `{"namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]}]}}` | Defines the `namespaceSelector`/`objectSelector` in the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
| config.webhookAnnotations | object | `{"admissions.enforcer/disabled":"true"}` | Defines annotations to set on webhook configurations. | | config.webhookAnnotations | object | `{"admissions.enforcer/disabled":"true"}` | Defines annotations to set on webhook configurations. |
| config.webhookLabels | object | `{}` | Defines labels to set on webhook configurations. | | config.webhookLabels | object | `{}` | Defines labels to set on webhook configurations. |
| config.matchConditions | list | `[]` | Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+). | | config.matchConditions | list | `[]` | Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+). |

12
charts/kyverno/templates/config/_helpers.tpl
View file

@ -56,13 +56,11 @@
{{- define "kyverno.config.webhooks" -}} {{- define "kyverno.config.webhooks" -}}
{{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }} {{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }}
{{- $newWebhook := list }} {{- $webhook := .Values.config.webhooks }}
{{- range $webhook := .Values.config.webhooks }} {{- $namespaceSelector := default dict $webhook.namespaceSelector }}
{{- $namespaceSelector := default dict $webhook.namespaceSelector }} {{- $matchExpressions := default list $namespaceSelector.matchExpressions }}
{{- $matchExpressions := default list $namespaceSelector.matchExpressions }} {{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }}
{{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }} {{- $newWebhook := merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector) }}
{{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }}
{{- end }}
{{- $newWebhook | toJson }} {{- $newWebhook | toJson }}
{{- end -}} {{- end -}}

16
charts/kyverno/values.yaml
View file

@ -320,18 +320,16 @@ config:
# -- Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies. # -- Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies.
updateRequestThreshold: 1000 updateRequestThreshold: 1000
# -- Defines the `namespaceSelector` in the webhook configurations. # -- Defines the `namespaceSelector`/`objectSelector` in the webhook configurations.
# Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element
# will be forwarded to the webhook configurations.
# The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) # The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)
webhooks: webhooks:
# Exclude namespaces # Exclude namespaces
- namespaceSelector: namespaceSelector:
matchExpressions: matchExpressions:
- key: kubernetes.io/metadata.name - key: kubernetes.io/metadata.name
operator: NotIn operator: NotIn
values: values:
- kube-system - kube-system
# Exclude objects # Exclude objects
# - objectSelector: # - objectSelector:
# matchExpressions: # matchExpressions:

2
config/install-latest-testing.yaml
View file

@ -175,7 +175,7 @@ data:
[Secret,kyverno,kyverno-svc.kyverno.svc.*] [Secret,kyverno,kyverno-svc.kyverno.svc.*]
[Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*] [Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*]
updateRequestThreshold: "1000" updateRequestThreshold: "1000"
webhooks: "[{\"namespaceSelector\":{\"matchExpressions\":[{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kube-system\"]},{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kyverno\"]}],\"matchLabels\":null}}]" webhooks: "{\"namespaceSelector\":{\"matchExpressions\":[{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kube-system\"]},{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kyverno\"]}],\"matchLabels\":null}}"
webhookAnnotations: "{\"admissions.enforcer/disabled\":\"true\"}" webhookAnnotations: "{\"admissions.enforcer/disabled\":\"true\"}"
--- ---
apiVersion: v1 apiVersion: v1

18
pkg/config/config.go
View file

@ -174,8 +174,8 @@ type Configuration interface {
ToFilter(kind schema.GroupVersionKind, subresource, namespace, name string) bool ToFilter(kind schema.GroupVersionKind, subresource, namespace, name string) bool
// GetGenerateSuccessEvents return if should generate success events // GetGenerateSuccessEvents return if should generate success events
GetGenerateSuccessEvents() bool GetGenerateSuccessEvents() bool
// GetWebhooks returns the webhook configs // GetWebhook returns the webhook config
GetWebhooks() []WebhookConfig GetWebhook() WebhookConfig
// GetWebhookAnnotations returns annotations to set on webhook configs // GetWebhookAnnotations returns annotations to set on webhook configs
GetWebhookAnnotations() map[string]string GetWebhookAnnotations() map[string]string
// GetWebhookLabels returns labels to set on webhook configs // GetWebhookLabels returns labels to set on webhook configs
@ -199,7 +199,7 @@ type configuration struct {
inclusions match inclusions match
filters []filter filters []filter
generateSuccessEvents bool generateSuccessEvents bool
webhooks []WebhookConfig webhook WebhookConfig
webhookAnnotations map[string]string webhookAnnotations map[string]string
webhookLabels map[string]string webhookLabels map[string]string
matchConditions []admissionregistrationv1.MatchCondition matchConditions []admissionregistrationv1.MatchCondition
@ -310,10 +310,10 @@ func (cd *configuration) GetGenerateSuccessEvents() bool {
return cd.generateSuccessEvents return cd.generateSuccessEvents
} }
func (cd *configuration) GetWebhooks() []WebhookConfig { func (cd *configuration) GetWebhook() WebhookConfig {
cd.mux.RLock() cd.mux.RLock()
defer cd.mux.RUnlock() defer cd.mux.RUnlock()
return cd.webhooks return cd.webhook
} }
func (cd *configuration) GetWebhookAnnotations() map[string]string { func (cd *configuration) GetWebhookAnnotations() map[string]string {
@ -364,7 +364,7 @@ func (cd *configuration) load(cm *corev1.ConfigMap) {
cd.inclusions = match{} cd.inclusions = match{}
cd.filters = []filter{} cd.filters = []filter{}
cd.generateSuccessEvents = false cd.generateSuccessEvents = false
cd.webhooks = nil cd.webhook = WebhookConfig{}
cd.webhookAnnotations = nil cd.webhookAnnotations = nil
cd.webhookLabels = nil cd.webhookLabels = nil
cd.matchConditions = nil cd.matchConditions = nil
@ -451,11 +451,11 @@ func (cd *configuration) load(cm *corev1.ConfigMap) {
logger.Info("webhooks not set") logger.Info("webhooks not set")
} else { } else {
logger := logger.WithValues("webhooks", webhooks) logger := logger.WithValues("webhooks", webhooks)
webhooks, err := parseWebhooks(webhooks) webhook, err := parseWebhooks(webhooks)
if err != nil { if err != nil {
logger.Error(err, "failed to parse webhooks") logger.Error(err, "failed to parse webhooks")
} else { } else {
cd.webhooks = webhooks cd.webhook = *webhook
logger.Info("webhooks configured") logger.Info("webhooks configured")
} }
} }
@ -526,7 +526,7 @@ func (cd *configuration) unload() {
cd.inclusions = match{} cd.inclusions = match{}
cd.filters = []filter{} cd.filters = []filter{}
cd.generateSuccessEvents = false cd.generateSuccessEvents = false
cd.webhooks = nil cd.webhook = WebhookConfig{}
cd.webhookAnnotations = nil cd.webhookAnnotations = nil
cd.webhookLabels = nil cd.webhookLabels = nil
logger.Info("configuration unloaded") logger.Info("configuration unloaded")

8
pkg/config/types.go
View file

@ -17,12 +17,12 @@ type WebhookConfig struct {
ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty"` ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty"`
} }
func parseWebhooks(in string) ([]WebhookConfig, error) { func parseWebhooks(in string) (*WebhookConfig, error) {
var webhookCfgs []WebhookConfig var webhookCfg WebhookConfig
if err := json.Unmarshal([]byte(in), &webhookCfgs); err != nil { if err := json.Unmarshal([]byte(in), &webhookCfg); err != nil {
return nil, err return nil, err
} }
return webhookCfgs, nil return &webhookCfg, nil
} }
func parseExclusions(in string) (exclusions, inclusions []string) { func parseExclusions(in string) (exclusions, inclusions []string) {

13
pkg/controllers/webhook/controller.go
View file

@ -823,11 +823,7 @@ func (c *controller) buildResourceMutatingWebhookConfiguration(ctx context.Conte
Webhooks: []admissionregistrationv1.MutatingWebhook{}, Webhooks: []admissionregistrationv1.MutatingWebhook{},
} }
if c.watchdogCheck() { if c.watchdogCheck() {
webhookCfg := config.WebhookConfig{} webhookCfg := cfg.GetWebhook()
webhookCfgs := cfg.GetWebhooks()
if len(webhookCfgs) > 0 {
webhookCfg = webhookCfgs[0]
}
ignoreWebhook := newWebhook(c.defaultTimeout, ignore, cfg.GetMatchConditions()) ignoreWebhook := newWebhook(c.defaultTimeout, ignore, cfg.GetMatchConditions())
failWebhook := newWebhook(c.defaultTimeout, fail, cfg.GetMatchConditions()) failWebhook := newWebhook(c.defaultTimeout, fail, cfg.GetMatchConditions())
policies, err := c.getAllPolicies() policies, err := c.getAllPolicies()
@ -964,12 +960,7 @@ func (c *controller) buildResourceValidatingWebhookConfiguration(ctx context.Con
Webhooks: []admissionregistrationv1.ValidatingWebhook{}, Webhooks: []admissionregistrationv1.ValidatingWebhook{},
} }
if c.watchdogCheck() { if c.watchdogCheck() {
webhookCfg := config.WebhookConfig{} webhookCfg := cfg.GetWebhook()
webhookCfgs := cfg.GetWebhooks()
if len(webhookCfgs) > 0 {
webhookCfg = webhookCfgs[0]
}
ignoreWebhook := newWebhook(c.defaultTimeout, ignore, cfg.GetMatchConditions()) ignoreWebhook := newWebhook(c.defaultTimeout, ignore, cfg.GetMatchConditions())
failWebhook := newWebhook(c.defaultTimeout, fail, cfg.GetMatchConditions()) failWebhook := newWebhook(c.defaultTimeout, fail, cfg.GetMatchConditions())
policies, err := c.getAllPolicies() policies, err := c.getAllPolicies()