1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00

fix: image cache panic and cleanup (#8512)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-09-22 12:40:16 +02:00 committed by GitHub
parent 21e044eb1a
commit 61aa713d27
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 18 additions and 20 deletions

View file

@ -16,7 +16,6 @@ import (
"github.com/kyverno/kyverno/pkg/engine/factories" "github.com/kyverno/kyverno/pkg/engine/factories"
"github.com/kyverno/kyverno/pkg/engine/jmespath" "github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/event" "github.com/kyverno/kyverno/pkg/event"
"github.com/kyverno/kyverno/pkg/imageverifycache"
"github.com/kyverno/kyverno/pkg/metrics" "github.com/kyverno/kyverno/pkg/metrics"
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller" controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
"github.com/kyverno/kyverno/pkg/utils/match" "github.com/kyverno/kyverno/pkg/utils/match"
@ -131,7 +130,6 @@ func (h *handlers) executePolicy(
h.jp, h.jp,
h.client, h.client,
nil, nil,
imageverifycache.DisabledImageVerifyCache(),
spec.Context, spec.Context,
enginectx, enginectx,
); err != nil { ); err != nil {

View file

@ -8,7 +8,6 @@ import (
enginecontext "github.com/kyverno/kyverno/pkg/engine/context" enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/factories" "github.com/kyverno/kyverno/pkg/engine/factories"
"github.com/kyverno/kyverno/pkg/engine/jmespath" "github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/imageverifycache"
) )
func ContextLoaderFactory(cmResolver engineapi.ConfigmapResolver) engineapi.ContextLoaderFactory { func ContextLoaderFactory(cmResolver engineapi.ConfigmapResolver) engineapi.ContextLoaderFactory {
@ -49,7 +48,6 @@ func (w wrapper) Load(
jp jmespath.Interface, jp jmespath.Interface,
client engineapi.RawClient, client engineapi.RawClient,
rclientFactory engineapi.RegistryClientFactory, rclientFactory engineapi.RegistryClientFactory,
ivCache imageverifycache.Client,
contextEntries []kyvernov1.ContextEntry, contextEntries []kyvernov1.ContextEntry,
jsonContext enginecontext.Interface, jsonContext enginecontext.Interface,
) error { ) error {
@ -59,5 +57,5 @@ func (w wrapper) Load(
if !GetRegistryAccess() { if !GetRegistryAccess() {
rclientFactory = nil rclientFactory = nil
} }
return w.inner.Load(ctx, jp, client, rclientFactory, ivCache, contextEntries, jsonContext) return w.inner.Load(ctx, jp, client, rclientFactory, contextEntries, jsonContext)
} }

View file

@ -6,7 +6,6 @@ import (
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
enginecontext "github.com/kyverno/kyverno/pkg/engine/context" enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/jmespath" "github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/imageverifycache"
) )
type RegistryClientFactory interface { type RegistryClientFactory interface {
@ -25,7 +24,6 @@ type ContextLoader interface {
jp jmespath.Interface, jp jmespath.Interface,
client RawClient, client RawClient,
rclientFactory RegistryClientFactory, rclientFactory RegistryClientFactory,
ivCache imageverifycache.Client,
contextEntries []kyvernov1.ContextEntry, contextEntries []kyvernov1.ContextEntry,
jsonContext enginecontext.Interface, jsonContext enginecontext.Interface,
) error ) error

View file

@ -180,7 +180,6 @@ func (e *engine) ContextLoader(
e.jp, e.jp,
e.client, e.client,
e.rclientFactory, e.rclientFactory,
e.ivCache,
contextEntries, contextEntries,
jsonContext, jsonContext,
) )

View file

@ -10,7 +10,6 @@ import (
enginecontext "github.com/kyverno/kyverno/pkg/engine/context" enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/context/loaders" "github.com/kyverno/kyverno/pkg/engine/context/loaders"
"github.com/kyverno/kyverno/pkg/engine/jmespath" "github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/imageverifycache"
"github.com/kyverno/kyverno/pkg/logging" "github.com/kyverno/kyverno/pkg/logging"
"github.com/kyverno/kyverno/pkg/toggle" "github.com/kyverno/kyverno/pkg/toggle"
) )
@ -47,7 +46,6 @@ func (l *contextLoader) Load(
jp jmespath.Interface, jp jmespath.Interface,
client engineapi.RawClient, client engineapi.RawClient,
rclientFactory engineapi.RegistryClientFactory, rclientFactory engineapi.RegistryClientFactory,
ivCache imageverifycache.Client,
contextEntries []kyvernov1.ContextEntry, contextEntries []kyvernov1.ContextEntry,
jsonContext enginecontext.Interface, jsonContext enginecontext.Interface,
) error { ) error {

View file

@ -245,14 +245,19 @@ func (iv *ImageVerifier) Verify(
continue continue
} }
start := time.Now() start := time.Now()
isInCache := false
if iv.ivCache != nil {
found, err := iv.ivCache.Get(ctx, iv.policyContext.Policy(), iv.rule.Name, image) found, err := iv.ivCache.Get(ctx, iv.policyContext.Policy(), iv.rule.Name, image)
if err != nil { if err != nil {
iv.logger.Error(err, "error occurred during cache get") iv.logger.Error(err, "error occurred during cache get")
} else {
isInCache = found
}
} }
var ruleResp *engineapi.RuleResponse var ruleResp *engineapi.RuleResponse
var digest string var digest string
if found { if isInCache {
iv.logger.V(2).Info("cache entry found", "namespace", iv.policyContext.Policy().GetNamespace(), "policy", iv.policyContext.Policy().GetName(), "ruleName", iv.rule.Name, "imageRef", image) iv.logger.V(2).Info("cache entry found", "namespace", iv.policyContext.Policy().GetNamespace(), "policy", iv.policyContext.Policy().GetName(), "ruleName", iv.rule.Name, "imageRef", image)
ruleResp = engineapi.RulePass(iv.rule.Name, engineapi.ImageVerify, "verified from cache") ruleResp = engineapi.RulePass(iv.rule.Name, engineapi.ImageVerify, "verified from cache")
digest = imageInfo.Digest digest = imageInfo.Digest
@ -260,6 +265,7 @@ func (iv *ImageVerifier) Verify(
iv.logger.V(2).Info("cache entry not found", "namespace", iv.policyContext.Policy().GetNamespace(), "policy", iv.policyContext.Policy().GetName(), "ruleName", iv.rule.Name, "imageRef", image) iv.logger.V(2).Info("cache entry not found", "namespace", iv.policyContext.Policy().GetNamespace(), "policy", iv.policyContext.Policy().GetName(), "ruleName", iv.rule.Name, "imageRef", image)
ruleResp, digest = iv.verifyImage(ctx, imageVerify, imageInfo, cfg) ruleResp, digest = iv.verifyImage(ctx, imageVerify, imageInfo, cfg)
if ruleResp != nil && ruleResp.Status() == engineapi.RuleStatusPass { if ruleResp != nil && ruleResp.Status() == engineapi.RuleStatusPass {
if iv.ivCache != nil {
setted, err := iv.ivCache.Set(ctx, iv.policyContext.Policy(), iv.rule.Name, image) setted, err := iv.ivCache.Set(ctx, iv.policyContext.Policy(), iv.rule.Name, image)
if err != nil { if err != nil {
iv.logger.Error(err, "error occurred during cache set") iv.logger.Error(err, "error occurred during cache set")
@ -270,6 +276,7 @@ func (iv *ImageVerifier) Verify(
} }
} }
} }
}
iv.logger.V(4).Info("time taken by the image verify operation", "duration", time.Since(start)) iv.logger.V(4).Info("time taken by the image verify operation", "duration", time.Since(start))
if imageVerify.MutateDigest { if imageVerify.MutateDigest {