diff --git a/pkg/constant/constant.go b/pkg/constant/constant.go new file mode 100644 index 0000000000..055a4b092e --- /dev/null +++ b/pkg/constant/constant.go @@ -0,0 +1,12 @@ +package constant + +import "time" + +const ( + CRDControllerResync = 10 * time.Minute + PolicyViolationControllerResync = 5 * time.Minute + PolicyControllerResync = time.Second + EventControllerResync = time.Second + GenerateControllerResync = time.Second + GenerateRequestControllerResync = time.Second +) diff --git a/pkg/event/controller.go b/pkg/event/controller.go index a33e50f756..db39f1d9d6 100644 --- a/pkg/event/controller.go +++ b/pkg/event/controller.go @@ -1,13 +1,12 @@ package event import ( - "time" - "github.com/go-logr/logr" "github.com/nirmata/kyverno/pkg/client/clientset/versioned/scheme" kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1" kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" + "github.com/nirmata/kyverno/pkg/constant" client "github.com/nirmata/kyverno/pkg/dclient" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" @@ -67,7 +66,7 @@ func initRecorder(client *client.Client, eventSource Source, log logr.Logger) re return nil } eventBroadcaster := record.NewBroadcaster() - eventBroadcaster.StartLogging(klog.Infof) + eventBroadcaster.StartLogging(klog.V(5).Infof) eventInterface, err := client.GetEventsInterface() if err != nil { log.Error(err, "failed to get event interface for logging") @@ -109,7 +108,7 @@ func (gen *Generator) Run(workers int, stopCh <-chan struct{}) { } for i := 0; i < workers; i++ { - go wait.Until(gen.runWorker, time.Second, stopCh) + go wait.Until(gen.runWorker, constant.EventControllerResync, stopCh) } <-stopCh } diff --git a/pkg/generate/cleanup/controller.go b/pkg/generate/cleanup/controller.go index 2c31254219..a232dd4813 100644 --- a/pkg/generate/cleanup/controller.go +++ b/pkg/generate/cleanup/controller.go @@ -8,6 +8,7 @@ import ( kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned" kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1" kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" + "github.com/nirmata/kyverno/pkg/constant" dclient "github.com/nirmata/kyverno/pkg/dclient" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -199,7 +200,7 @@ func (c *Controller) Run(workers int, stopCh <-chan struct{}) { return } for i := 0; i < workers; i++ { - go wait.Until(c.worker, time.Second, stopCh) + go wait.Until(c.worker, constant.GenerateRequestControllerResync, stopCh) } <-stopCh } diff --git a/pkg/generate/controller.go b/pkg/generate/controller.go index b848609177..a03dfe2734 100644 --- a/pkg/generate/controller.go +++ b/pkg/generate/controller.go @@ -8,6 +8,7 @@ import ( kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned" kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1" kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" + "github.com/nirmata/kyverno/pkg/constant" dclient "github.com/nirmata/kyverno/pkg/dclient" "github.com/nirmata/kyverno/pkg/event" "github.com/nirmata/kyverno/pkg/policystatus" @@ -219,7 +220,7 @@ func (c *Controller) Run(workers int, stopCh <-chan struct{}) { return } for i := 0; i < workers; i++ { - go wait.Until(c.worker, time.Second, stopCh) + go wait.Until(c.worker, constant.GenerateControllerResync, stopCh) } <-stopCh } diff --git a/pkg/openapi/crdSync.go b/pkg/openapi/crdSync.go index 01ccab88bb..6edfc03ad1 100644 --- a/pkg/openapi/crdSync.go +++ b/pkg/openapi/crdSync.go @@ -4,7 +4,6 @@ import ( "encoding/json" "errors" "fmt" - "time" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -19,6 +18,7 @@ import ( openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2" log "sigs.k8s.io/controller-runtime/pkg/log" + "github.com/nirmata/kyverno/pkg/constant" client "github.com/nirmata/kyverno/pkg/dclient" "k8s.io/apimachinery/pkg/util/wait" ) @@ -28,6 +28,36 @@ type crdSync struct { controller *Controller } +// crdDefinitionPrior represents CRD's version prior to 1.16 +var crdDefinitionPrior struct { + Spec struct { + Names struct { + Kind string `json:"kind"` + } `json:"names"` + Validation struct { + OpenAPIV3Schema interface{} `json:"openAPIV3Schema"` + } `json:"validation"` + } `json:"spec"` +} + +// crdDefinitionNew represents CRD in version 1.16+ +var crdDefinitionNew struct { + Spec struct { + Names struct { + Kind string `json:"kind"` + } `json:"names"` + Versions []struct { + Schema struct { + OpenAPIV3Schema interface{} `json:"openAPIV3Schema"` + } `json:"schema"` + Storage bool `json:"storage"` + } `json:"versions"` + } `json:"spec"` +} + +var crdVersion struct { +} + func NewCRDSync(client *client.Client, controller *Controller) *crdSync { if controller == nil { panic(fmt.Errorf("nil controller sent into crd sync")) @@ -54,7 +84,7 @@ func (c *crdSync) Run(workers int, stopCh <-chan struct{}) { c.sync() for i := 0; i < workers; i++ { - go wait.Until(c.sync, time.Second*25, stopCh) + go wait.Until(c.sync, constant.CRDControllerResync, stopCh) } } @@ -90,39 +120,42 @@ func (o *Controller) deleteCRDFromPreviousSync() { func (o *Controller) parseCRD(crd unstructured.Unstructured) { var err error - var crdDefinition struct { - Spec struct { - Names struct { - Kind string `json:"kind"` - } `json:"names"` - Validation struct { - OpenAPIV3Schema interface{} `json:"openAPIV3Schema"` - } `json:"validation"` - } `json:"spec"` - } crdRaw, _ := json.Marshal(crd.Object) - _ = json.Unmarshal(crdRaw, &crdDefinition) + _ = json.Unmarshal(crdRaw, &crdDefinitionPrior) - crdName := crdDefinition.Spec.Names.Kind + openV3schema := crdDefinitionPrior.Spec.Validation.OpenAPIV3Schema + crdName := crdDefinitionPrior.Spec.Names.Kind - var schema yaml.MapSlice - schemaRaw, _ := json.Marshal(crdDefinition.Spec.Validation.OpenAPIV3Schema) + if openV3schema == nil { + _ = json.Unmarshal(crdRaw, &crdDefinitionNew) + for _, crdVersion := range crdDefinitionNew.Spec.Versions { + if crdVersion.Storage { + openV3schema = crdVersion.Schema.OpenAPIV3Schema + crdName = crdDefinitionNew.Spec.Names.Kind + break + } + } + } + + schemaRaw, _ := json.Marshal(openV3schema) if len(schemaRaw) < 1 { - log.Log.V(4).Info("could not parse crd schema") + log.Log.V(3).Info("could not parse crd schema", "name", crdName) return } schemaRaw, err = addingDefaultFieldsToSchema(schemaRaw) if err != nil { - log.Log.Error(err, "could not parse crd schema:") + log.Log.Error(err, "could not parse crd schema", "name", crdName) return } + + var schema yaml.MapSlice _ = yaml.Unmarshal(schemaRaw, &schema) parsedSchema, err := openapi_v2.NewSchema(schema, compiler.NewContext("schema", nil)) if err != nil { - log.Log.Error(err, "could not parse crd schema:") + log.Log.Error(err, "could not parse crd schema", "name", crdName) return } diff --git a/pkg/policy/controller.go b/pkg/policy/controller.go index a0d3934be3..250aab5fe4 100644 --- a/pkg/policy/controller.go +++ b/pkg/policy/controller.go @@ -10,6 +10,7 @@ import ( kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1" kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" "github.com/nirmata/kyverno/pkg/config" + "github.com/nirmata/kyverno/pkg/constant" client "github.com/nirmata/kyverno/pkg/dclient" "github.com/nirmata/kyverno/pkg/event" "github.com/nirmata/kyverno/pkg/policystore" @@ -264,7 +265,7 @@ func (pc *PolicyController) Run(workers int, stopCh <-chan struct{}) { } for i := 0; i < workers; i++ { - go wait.Until(pc.worker, time.Second, stopCh) + go wait.Until(pc.worker, constant.PolicyControllerResync, stopCh) } <-stopCh diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go index 5f6fe09c67..44850b4df0 100644 --- a/pkg/policy/existing.go +++ b/pkg/policy/existing.go @@ -97,9 +97,14 @@ func getResourcesPerNamespace(kind string, client *client.Client, namespace stri // ls := mergeLabelSectors(rule.MatchResources.Selector, rule.ExcludeResources.Selector) // list resources log.V(4).Info("list resources to be processed") + + if kind == "Namespace" { + namespace = "" + } + list, err := client.ListResource(kind, namespace, ls) if err != nil { - log.Error(err, "failed to list resources", "kind", kind) + log.Error(err, "failed to list resources", "kind", kind, "namespace", namespace) return nil } // filter based on name diff --git a/pkg/policyviolation/generator.go b/pkg/policyviolation/generator.go index ed3ffe76a2..e25ae23c6f 100644 --- a/pkg/policyviolation/generator.go +++ b/pkg/policyviolation/generator.go @@ -6,7 +6,6 @@ import ( "strconv" "strings" "sync" - "time" "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" @@ -14,6 +13,7 @@ import ( kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1" kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1" kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" + "github.com/nirmata/kyverno/pkg/constant" "github.com/nirmata/kyverno/pkg/policystatus" dclient "github.com/nirmata/kyverno/pkg/dclient" @@ -153,7 +153,7 @@ func (gen *Generator) Run(workers int, stopCh <-chan struct{}) { } for i := 0; i < workers; i++ { - go wait.Until(gen.runWorker, time.Second, stopCh) + go wait.Until(gen.runWorker, constant.PolicyViolationControllerResync, stopCh) } <-stopCh } diff --git a/pkg/webhooks/generate/generate.go b/pkg/webhooks/generate/generate.go index 3631845541..3e1ded7530 100644 --- a/pkg/webhooks/generate/generate.go +++ b/pkg/webhooks/generate/generate.go @@ -8,6 +8,7 @@ import ( "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned" + "github.com/nirmata/kyverno/pkg/constant" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apimachinery/pkg/util/wait" ) @@ -60,7 +61,7 @@ func (g *Generator) Run(workers int) { logger.V(4).Info("shutting down") }() for i := 0; i < workers; i++ { - go wait.Until(g.process, time.Second, g.stopCh) + go wait.Until(g.process, constant.GenerateControllerResync, g.stopCh) } <-g.stopCh }