1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00

fix: image cache panic and cleanup (#8512)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-09-22 12:40:16 +02:00 committed by GitHub
parent 21e044eb1a
commit 61aa713d27
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 18 additions and 20 deletions

View file

@ -16,7 +16,6 @@ import (
"github.com/kyverno/kyverno/pkg/engine/factories"
"github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/event"
"github.com/kyverno/kyverno/pkg/imageverifycache"
"github.com/kyverno/kyverno/pkg/metrics"
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
"github.com/kyverno/kyverno/pkg/utils/match"
@ -131,7 +130,6 @@ func (h *handlers) executePolicy(
h.jp,
h.client,
nil,
imageverifycache.DisabledImageVerifyCache(),
spec.Context,
enginectx,
); err != nil {

View file

@ -8,7 +8,6 @@ import (
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/factories"
"github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/imageverifycache"
)
func ContextLoaderFactory(cmResolver engineapi.ConfigmapResolver) engineapi.ContextLoaderFactory {
@ -49,7 +48,6 @@ func (w wrapper) Load(
jp jmespath.Interface,
client engineapi.RawClient,
rclientFactory engineapi.RegistryClientFactory,
ivCache imageverifycache.Client,
contextEntries []kyvernov1.ContextEntry,
jsonContext enginecontext.Interface,
) error {
@ -59,5 +57,5 @@ func (w wrapper) Load(
if !GetRegistryAccess() {
rclientFactory = nil
}
return w.inner.Load(ctx, jp, client, rclientFactory, ivCache, contextEntries, jsonContext)
return w.inner.Load(ctx, jp, client, rclientFactory, contextEntries, jsonContext)
}

View file

@ -6,7 +6,6 @@ import (
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/imageverifycache"
)
type RegistryClientFactory interface {
@ -25,7 +24,6 @@ type ContextLoader interface {
jp jmespath.Interface,
client RawClient,
rclientFactory RegistryClientFactory,
ivCache imageverifycache.Client,
contextEntries []kyvernov1.ContextEntry,
jsonContext enginecontext.Interface,
) error

View file

@ -180,7 +180,6 @@ func (e *engine) ContextLoader(
e.jp,
e.client,
e.rclientFactory,
e.ivCache,
contextEntries,
jsonContext,
)

View file

@ -10,7 +10,6 @@ import (
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/context/loaders"
"github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/imageverifycache"
"github.com/kyverno/kyverno/pkg/logging"
"github.com/kyverno/kyverno/pkg/toggle"
)
@ -47,7 +46,6 @@ func (l *contextLoader) Load(
jp jmespath.Interface,
client engineapi.RawClient,
rclientFactory engineapi.RegistryClientFactory,
ivCache imageverifycache.Client,
contextEntries []kyvernov1.ContextEntry,
jsonContext enginecontext.Interface,
) error {

View file

@ -245,14 +245,19 @@ func (iv *ImageVerifier) Verify(
continue
}
start := time.Now()
found, err := iv.ivCache.Get(ctx, iv.policyContext.Policy(), iv.rule.Name, image)
if err != nil {
iv.logger.Error(err, "error occurred during cache get")
isInCache := false
if iv.ivCache != nil {
found, err := iv.ivCache.Get(ctx, iv.policyContext.Policy(), iv.rule.Name, image)
if err != nil {
iv.logger.Error(err, "error occurred during cache get")
} else {
isInCache = found
}
}
var ruleResp *engineapi.RuleResponse
var digest string
if found {
if isInCache {
iv.logger.V(2).Info("cache entry found", "namespace", iv.policyContext.Policy().GetNamespace(), "policy", iv.policyContext.Policy().GetName(), "ruleName", iv.rule.Name, "imageRef", image)
ruleResp = engineapi.RulePass(iv.rule.Name, engineapi.ImageVerify, "verified from cache")
digest = imageInfo.Digest
@ -260,12 +265,14 @@ func (iv *ImageVerifier) Verify(
iv.logger.V(2).Info("cache entry not found", "namespace", iv.policyContext.Policy().GetNamespace(), "policy", iv.policyContext.Policy().GetName(), "ruleName", iv.rule.Name, "imageRef", image)
ruleResp, digest = iv.verifyImage(ctx, imageVerify, imageInfo, cfg)
if ruleResp != nil && ruleResp.Status() == engineapi.RuleStatusPass {
setted, err := iv.ivCache.Set(ctx, iv.policyContext.Policy(), iv.rule.Name, image)
if err != nil {
iv.logger.Error(err, "error occurred during cache set")
} else {
if setted {
iv.logger.V(4).Info("successfully set cache", "namespace", iv.policyContext.Policy().GetNamespace(), "policy", iv.policyContext.Policy().GetName(), "ruleName", iv.rule.Name, "imageRef", image)
if iv.ivCache != nil {
setted, err := iv.ivCache.Set(ctx, iv.policyContext.Policy(), iv.rule.Name, image)
if err != nil {
iv.logger.Error(err, "error occurred during cache set")
} else {
if setted {
iv.logger.V(4).Info("successfully set cache", "namespace", iv.policyContext.Policy().GetNamespace(), "policy", iv.policyContext.Policy().GetName(), "ruleName", iv.rule.Name, "imageRef", image)
}
}
}
}