From 92c97a92e9e9f77b4d9ed3b693586b707a52339b Mon Sep 17 00:00:00 2001 From: belyshevdenis Date: Thu, 21 Mar 2019 15:57:30 +0200 Subject: [PATCH 1/4] NK-31: Put constants in separate file. Updated install.yaml definition to create Service and DaemonSet. Fixed bug with webhook registration. --- constants/constants.go | 17 ++++++ definitions/examples/selector-policy.yaml | 21 ------- definitions/install.yaml | 69 +++++++++++++++++++++++ init.go | 13 ++--- main.go | 2 +- server/server.go | 7 ++- webhooks/registration.go | 42 +++++--------- 7 files changed, 110 insertions(+), 61 deletions(-) create mode 100644 constants/constants.go delete mode 100644 definitions/examples/selector-policy.yaml diff --git a/constants/constants.go b/constants/constants.go new file mode 100644 index 0000000000..7bfd24e07c --- /dev/null +++ b/constants/constants.go @@ -0,0 +1,17 @@ +package constants + +const ( + // These constants MUST be equal to the corresponding names in service definition in definitions/install.yaml + WebhookServiceNamespace = "kube-system" + WebhookServiceName = "kube-policy-svc" + + WebhookConfigName = "nirmata-kube-policy-webhook-cfg" + MutationWebhookName = "webhook.nirmata.kube-policy" +) + +var ( + WebhookServicePath = "/mutate" + WebhookConfigLabels = map[string]string { + "app": "kube-policy", + } +) \ No newline at end of file diff --git a/definitions/examples/selector-policy.yaml b/definitions/examples/selector-policy.yaml deleted file mode 100644 index d15312b76d..0000000000 --- a/definitions/examples/selector-policy.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: policy.nirmata.io/v1alpha1 -kind : Policy -metadata: - name: selector-policy -spec: - failurePolicy: continueOnError - rules: - - resource: - kind: ConfigMap - selector: - matchLabels: - label1: test1 - matchExpressions: - - key: label2 - operator: In - values: - - test2 - patch: - - path: / - op : add - value : "20" diff --git a/definitions/install.yaml b/definitions/install.yaml index 19273f4f08..6a1caea2d6 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -145,3 +145,72 @@ spec: type: object additionalProperties: type: string +--- +apiVersion: v1 +kind: Service +metadata: + namespace: kube-system + name: kube-policy-svc + labels: + app: kube-policy +spec: + ports: + - port: 443 + targetPort: 443 + selector: + app: kube-policy +#--- +#apiVersion: v1 +#kind: ServiceAccount +#metadata: +# name: kube-policy-service-account +# namespace: kube-system +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: kube-policy-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: default + namespace: kube-system +--- +apiVersion: extensions/v1beta1 +kind: DaemonSet +metadata: + labels: + app: kube-policy + tier: node + name: kube-policy-daemon + namespace: kube-system +spec: + template: + metadata: + labels: + app: kube-policy + tier: node + spec: + #serviceAccountName: kube-policy-service-account + #serviceAccount: kube-policy-service-account + containers: + - name: kube-policy + image: nirmata/kube-policy:latest + imagePullPolicy: IfNotPresent + ports: + - containerPort: 443 + securityContext: + privileged: true + hostNetwork: true + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists + - effect: NoSchedule + key: node.kubernetes.io/not-ready + operator: Exists diff --git a/init.go b/init.go index 8940b39c8c..d8ec4cd7c6 100644 --- a/init.go +++ b/init.go @@ -6,16 +6,13 @@ import ( "net/url" "github.com/nirmata/kube-policy/kubeclient" + "github.com/nirmata/kube-policy/constants" "github.com/nirmata/kube-policy/utils" rest "k8s.io/client-go/rest" clientcmd "k8s.io/client-go/tools/clientcmd" ) -// These constants MUST be equal to the corresponding names in service definition in definitions/install.yaml -const serviceName string = "kube-policy-svc" -const namespace string = "default" - func createClientConfig(kubeconfig string) (*rest.Config, error) { if kubeconfig == "" { log.Printf("Using in-cluster configuration") @@ -29,13 +26,13 @@ func createClientConfig(kubeconfig string) (*rest.Config, error) { func readTlsPairFromFiles(certFile, keyFile string) *utils.TlsPemPair { certContent, err := ioutil.ReadFile(certFile) if err != nil { - log.Printf("Unable to read file with TLS certificate: %v", err) + log.Printf("Unable to read file with TLS certificate: path - %s, error - %v", certFile, err) return nil } keyContent, err := ioutil.ReadFile(keyFile) if err != nil { - log.Printf("Unable to read file with TLS private key: %v", err) + log.Printf("Unable to read file with TLS private key: path - %s, error - %v", keyFile, err) return nil } @@ -53,8 +50,8 @@ func initTlsPemsPair(config *rest.Config, client *kubeclient.KubeClient) (*utils return nil, err } certProps := utils.TlsCertificateProps{ - Service: serviceName, - Namespace: namespace, + Service: constants.WebhookServiceName, + Namespace: constants.WebhookServiceNamespace, ApiServerHost: apiServerUrl.Hostname(), } diff --git a/main.go b/main.go index d3dea750e1..cb728a4c57 100644 --- a/main.go +++ b/main.go @@ -24,7 +24,7 @@ func main() { log.Fatalf("Error building kubeconfig: %v\n", err) } - _, err = webhooks.RegisterMutationWebhook(clientConfig) + err = webhooks.RegisterMutationWebhook(clientConfig) if err != nil { log.Fatalf("Error registering mutation webhook server: %v\n", err) } diff --git a/server/server.go b/server/server.go index d16e09c6a5..0c1d3957e8 100644 --- a/server/server.go +++ b/server/server.go @@ -14,8 +14,9 @@ import ( "github.com/nirmata/kube-policy/controller" "github.com/nirmata/kube-policy/kubeclient" - "github.com/nirmata/kube-policy/utils" + "github.com/nirmata/kube-policy/constants" "github.com/nirmata/kube-policy/webhooks" + "github.com/nirmata/kube-policy/utils" v1beta1 "k8s.io/api/admission/v1beta1" ) @@ -66,7 +67,7 @@ func NewWebhookServer(config WebhookServerConfig, logger *log.Logger) (*WebhookS } mux := http.NewServeMux() - mux.HandleFunc("/mutate", ws.serve) + mux.HandleFunc(constants.WebhookServicePath, ws.serve) ws.server = http.Server{ Addr: ":443", // Listen on port for HTTPS requests @@ -82,7 +83,7 @@ func NewWebhookServer(config WebhookServerConfig, logger *log.Logger) (*WebhookS // Main server endpoint for all requests func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) { - if r.URL.Path == "/mutate" { + if r.URL.Path == constants.WebhookServicePath { admissionReview := ws.parseAdmissionReview(r, w) if admissionReview == nil { return diff --git a/webhooks/registration.go b/webhooks/registration.go index 434e825c42..ecbf548170 100644 --- a/webhooks/registration.go +++ b/webhooks/registration.go @@ -1,58 +1,44 @@ package webhooks + import ( "io/ioutil" + "github.com/nirmata/kube-policy/constants" + rest "k8s.io/client-go/rest" meta "k8s.io/apimachinery/pkg/apis/meta/v1" adm "k8s.io/api/admissionregistration/v1beta1" - types "k8s.io/api/admissionregistration/v1beta1" admreg "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1" ) -const ( - webhookName = "nirmata-kube-policy-webhook-cfg" - mutationWebhookName = "webhook.nirmata.kube-policy" - webhookServiceNamespace = "default" - webhookServiceName = "kube-policy-svc" -) - -var ( - webhookPath = "mutate" - webhookLabels = map[string]string { - "app": "kube-policy", - } -) - -func RegisterMutationWebhook(config *rest.Config) (*types.MutatingWebhookConfiguration, error) { -var result *types.MutatingWebhookConfiguration = nil - +func RegisterMutationWebhook(config *rest.Config) error { registrationClient, err := admreg.NewForConfig(config) if err != nil { - return nil, err + return err } - result, err = registrationClient.MutatingWebhookConfigurations().Create(constructWebhookConfig(config)) + _, err = registrationClient.MutatingWebhookConfigurations().Create(constructWebhookConfig(config)) if err != nil { - return nil, err + return err } - return result, nil + return nil } func constructWebhookConfig(config *rest.Config) *adm.MutatingWebhookConfiguration { return &adm.MutatingWebhookConfiguration { ObjectMeta: meta.ObjectMeta { - Name: webhookName, - Labels: webhookLabels, + Name: constants.WebhookConfigName, + Labels: constants.WebhookConfigLabels, }, Webhooks: []adm.Webhook { adm.Webhook { - Name: mutationWebhookName, + Name: constants.MutationWebhookName, ClientConfig: adm.WebhookClientConfig { Service: &adm.ServiceReference { - Namespace: webhookServiceNamespace, - Name: webhookServiceName, - Path: &webhookPath, + Namespace: constants.WebhookServiceNamespace, + Name: constants.WebhookServiceName, + Path: &constants.WebhookServicePath, }, CABundle: ExtractCA(config), }, From 20d9fcd56346f3a5309eb6c8126e510ab092966a Mon Sep 17 00:00:00 2001 From: belyshevdenis Date: Thu, 21 Mar 2019 16:56:03 +0200 Subject: [PATCH 2/4] NK-31: Fixed indentation --- webhooks/registration.go | 4 ++-- webhooks/registration_test.go | 21 +++++++++++---------- webhooks/resources/CAFile | 27 ++++++++++++--------------- 3 files changed, 25 insertions(+), 27 deletions(-) diff --git a/webhooks/registration.go b/webhooks/registration.go index ecbf548170..ab3f546ead 100644 --- a/webhooks/registration.go +++ b/webhooks/registration.go @@ -35,7 +35,7 @@ func constructWebhookConfig(config *rest.Config) *adm.MutatingWebhookConfigurati adm.Webhook { Name: constants.MutationWebhookName, ClientConfig: adm.WebhookClientConfig { - Service: &adm.ServiceReference { + Service: &adm.ServiceReference { Namespace: constants.WebhookServiceNamespace, Name: constants.WebhookServiceName, Path: &constants.WebhookServicePath, @@ -68,7 +68,7 @@ func constructWebhookConfig(config *rest.Config) *adm.MutatingWebhookConfigurati func ExtractCA(config *rest.Config) (result []byte) { fileName := config.TLSClientConfig.CAFile - if fileName != "" { + if fileName != "" { result, err := ioutil.ReadFile(fileName) if err != nil { diff --git a/webhooks/registration_test.go b/webhooks/registration_test.go index 7a6cbaffb8..a095756838 100644 --- a/webhooks/registration_test.go +++ b/webhooks/registration_test.go @@ -1,4 +1,5 @@ package webhooks_test + import ( "gotest.tools/assert" "io/ioutil" @@ -11,55 +12,55 @@ import ( ) func TestExtractCA_EmptyBundle(t *testing.T) { - CAFile := "resources/CAFile" + CAFile := "resources/CAFile" config := &rest.Config { TLSClientConfig: rest.TLSClientConfig { CAData: nil, - CAFile: CAFile, + CAFile: CAFile, }, } expected, err := ioutil.ReadFile(CAFile) assert.Assert(t, err == nil) actual := webhooks.ExtractCA(config) - assert.Assert(t, bytes.Equal(expected, actual)) + assert.Assert(t, bytes.Equal(expected, actual)) } func TestExtractCA_EmptyCAFile(t *testing.T) { - CABundle := []byte(`LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1ETXhPVEUwTURjd05Gb1hEVEk1TURNeE5qRTBNRGN3TkZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTStQClVLVmExcm9tQndOZzdqNnBBSGo5TDQ4RVJpdEplRzRXM1pUYmNMNWNKbnVTQmFsc1h1TWpQTGZmbUV1VEZIdVAKenRqUlBEUHcreEg1d3VTWFF2U0tIaXF2VE1pUm9DSlJFa09sQXpIa1dQM0VrdnUzNzRqZDVGV3Q3NEhnRk91cApIZ1ZwdUxPblczK2NDVE5iQ3VkeDFMVldRbGgwQzJKbm1Lam5uS1YrTkxzNFJVaVk1dk91ekpuNHl6QldLRjM2CmJLZ3ZDOVpMWlFSM3dZcnJNZWllYzBnWVY2VlJtaGgxSjRDV3V1UWd0ckM2d2NJanFWZFdEUlJyNHFMdEtDcDIKQVNIZmNieitwcEdHblJ5Z2FzcWNJdnpiNUVwV3NIRGtHRStUUW5WQ0JmTmsxN0NEOTZBQ1pmRWVybzEvWE16MgpRbzZvcUE0dnF5ZkdWWVU5RVZFQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFNWFVpUVJpdUc4cGdzcHMrZTdGZWdCdEJOZEcKZlFUdHVLRWFUZ0U0RjQwamJ3UmdrN25DTHlsSHgvRG04aVRRQmsyWjR4WnNuY0huRys4SkwrckRLdlJBSE5iVQpsYnpReXA1V3FwdjdPcThwZ01wU0o5bTdVY3BGZmRVZkorNW43aXFnTGdMb3lhNmtRVTR2Rk0yTE1rWjI5NVpxCmVId0hnREo5Z3IwWGNyOWM1L2tRdkxFc2Z2WU5QZVhuamNyWXlDb2JNcVduSElxeVd3cHM1VTJOaGgraXhSZEIKbzRRL3RJS04xOU93WGZBaVc5SENhNzZMb3ZXaUhPU2UxVnFzK1h1N1A5ckx4eW1vQm91aFcxVmZ0bUo5Qy9vTAp3cFVuNnlXRCttY0tkZ3J5QTFjTWJ4Q281bUd6YTNLaFk1QTd5eDQ1cThkSEIzTWU4d0FCam1wWEs0ST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=`) + CABundle := []byte(`LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1ETXhPVEUwTURjd05Gb1hEVEk1TURNeE5qRTBNRGN3TkZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTStQClVLVmExcm9tQndOZzdqNnBBSGo5TDQ4RVJpdEplRzRXM1pUYmNMNWNKbnVTQmFsc1h1TWpQTGZmbUV1VEZIdVAKenRqUlBEUHcreEg1d3VTWFF2U0tIaXF2VE1pUm9DSlJFa09sQXpIa1dQM0VrdnUzNzRqZDVGV3Q3NEhnRk91cApIZ1ZwdUxPblczK2NDVE5iQ3VkeDFMVldRbGgwQzJKbm1Lam5uS1YrTkxzNFJVaVk1dk91ekpuNHl6QldLRjM2CmJLZ3ZDOVpMWlFSM3dZcnJNZWllYzBnWVY2VlJtaGgxSjRDV3V1UWd0ckM2d2NJanFWZFdEUlJyNHFMdEtDcDIKQVNIZmNieitwcEdHblJ5Z2FzcWNJdnpiNUVwV3NIRGtHRStUUW5WQ0JmTmsxN0NEOTZBQ1pmRWVybzEvWE16MgpRbzZvcUE0dnF5ZkdWWVU5RVZFQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFNWFVpUVJpdUc4cGdzcHMrZTdGZWdCdEJOZEcKZlFUdHVLRWFUZ0U0RjQwamJ3UmdrN25DTHlsSHgvRG04aVRRQmsyWjR4WnNuY0huRys4SkwrckRLdlJBSE5iVQpsYnpReXA1V3FwdjdPcThwZ01wU0o5bTdVY3BGZmRVZkorNW43aXFnTGdMb3lhNmtRVTR2Rk0yTE1rWjI5NVpxCmVId0hnREo5Z3IwWGNyOWM1L2tRdkxFc2Z2WU5QZVhuamNyWXlDb2JNcVduSElxeVd3cHM1VTJOaGgraXhSZEIKbzRRL3RJS04xOU93WGZBaVc5SENhNzZMb3ZXaUhPU2UxVnFzK1h1N1A5ckx4eW1vQm91aFcxVmZ0bUo5Qy9vTAp3cFVuNnlXRCttY0tkZ3J5QTFjTWJ4Q281bUd6YTNLaFk1QTd5eDQ1cThkSEIzTWU4d0FCam1wWEs0ST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=`) config := &rest.Config { TLSClientConfig: rest.TLSClientConfig { CAData: CABundle, - CAFile: "", + CAFile: "", }, } actual := webhooks.ExtractCA(config) - assert.Assert(t, bytes.Equal(CABundle, actual)) + assert.Assert(t, bytes.Equal(CABundle, actual)) } func TestExtractCA_EmptyConfig(t *testing.T) { config := &rest.Config { TLSClientConfig: rest.TLSClientConfig { CAData: nil, - CAFile: "", + CAFile: "", }, } actual := webhooks.ExtractCA(config) - assert.Assert(t, actual == nil) + assert.Assert(t, actual == nil) } func TestExtractCA_InvalidFile(t *testing.T) { config := &rest.Config { TLSClientConfig: rest.TLSClientConfig { CAData: nil, - CAFile: "somenonexistingfile", + CAFile: "somenonexistingfile", }, } actual := webhooks.ExtractCA(config) - assert.Assert(t, actual == nil) + assert.Assert(t, actual == nil) } \ No newline at end of file diff --git a/webhooks/resources/CAFile b/webhooks/resources/CAFile index d3700b2b42..8e3c60a196 100644 --- a/webhooks/resources/CAFile +++ b/webhooks/resources/CAFile @@ -1,17 +1,14 @@ -----BEGIN CERTIFICATE----- -MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl -cm5ldGVzMB4XDTE5MDMxOTE0MDcwNFoXDTI5MDMxNjE0MDcwNFowFTETMBEGA1UE -AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+P -UKVa1romBwNg7j6pAHj9L48ERitJeG4W3ZTbcL5cJnuSBalsXuMjPLffmEuTFHuP -ztjRPDPw+xH5wuSXQvSKHiqvTMiRoCJREkOlAzHkWP3Ekvu374jd5FWt74HgFOup -HgVpuLOnW3+cCTNbCudx1LVWQlh0C2JnmKjnnKV+NLs4RUiY5vOuzJn4yzBWKF36 -bKgvC9ZLZQR3wYrrMeiec0gYV6VRmhh1J4CWuuQgtrC6wcIjqVdWDRRr4qLtKCp2 -ASHfcbz+ppGGnRygasqcIvzb5EpWsHDkGE+TQnVCBfNk17CD96ACZfEero1/XMz2 -Qo6oqA4vqyfGVYU9EVECAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB -/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAMXUiQRiuG8pgsps+e7FegBtBNdG -fQTtuKEaTgE4F40jbwRgk7nCLylHx/Dm8iTQBk2Z4xZsncHnG+8JL+rDKvRAHNbU -lbzQyp5Wqpv7Oq8pgMpSJ9m7UcpFfdUfJ+5n7iqgLgLoya6kQU4vFM2LMkZ295Zq -eHwHgDJ9gr0Xcr9c5/kQvLEsfvYNPeXnjcrYyCobMqWnHIqyWwps5U2Nhh+ixRdB -o4Q/tIKN19OwXfAiW9HCa76LovWiHOSe1Vqs+Xu7P9rLxymoBouhW1VftmJ9C/oL -wpUn6yWD+mcKdgryA1cMbxCo5mGza3KhY5A7yx45q8dHB3Me8wABjmpXK4I= +V2VsY29tZSB0byBUaGUgUnVzdCBQcm9ncmFtbWluZyBMYW5ndWFnZSwgY +W4gaW50cm9kdWN0b3J5IGJvb2sgYWJvdXQgUnVzdC4gVGhlIFJ1c3QgcH +JvZ3JhbW1pbmcgbGFuZ3VhZ2UgaGVscHMgeW91IHdyaXRlIGZhc3Rlciw +gbW9yZSByZWxpYWJsZSBzb2Z0d2FyZS4gSGlnaC1sZXZlbCBlcmdvbm9t +aWNzIGFuZCBsb3ctbGV2ZWwgY29udHJvbCBhcmUgb2Z0ZW4gYXQgb2Rkc +yBpbiBwcm9ncmFtbWluZyBsYW5ndWFnZSBkZXNpZ247IFJ1c3QgY2hhbG +xlbmdlcyB0aGF0IGNvbmZsaWN0LiBUaHJvdWdoIGJhbGFuY2luZyBwb3d +lcmZ1bCB0ZWNobmljYWwgY2FwYWNpdHkgYW5kIGEgZ3JlYXQgZGV2ZWxv +cGVyIGV4cGVyaWVuY2UsIFJ1c3QgZ2l2ZXMgeW91IHRoZSBvcHRpb24gd +G8gY29udHJvbCBsb3ctbGV2ZWwgZGV0YWlscyAoc3VjaCBhcyBtZW1vcn +kgdXNhZ2UpIHdpdGhvdXQgYWxsIHRoZSBoYXNzbGUgdHJhZGl0aW9uYWx +seSBhc3NvY2lhdGVkIHdpdGggc3VjaCBjb250cm9sLgyzmqp31l8rqr1== -----END CERTIFICATE----- From dccb9e6f6e1f48ca4485d729c9f57772e9f27303 Mon Sep 17 00:00:00 2001 From: belyshevdenis Date: Thu, 21 Mar 2019 17:25:36 +0200 Subject: [PATCH 3/4] NK-31: Changed DaemonSet to Deployment for kube-policy image --- definitions/install.yaml | 50 +++++++++++++++------------------------- 1 file changed, 19 insertions(+), 31 deletions(-) diff --git a/definitions/install.yaml b/definitions/install.yaml index 6a1caea2d6..28cbbc797b 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -159,12 +159,12 @@ spec: targetPort: 443 selector: app: kube-policy -#--- -#apiVersion: v1 -#kind: ServiceAccount -#metadata: -# name: kube-policy-service-account -# namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-policy-service-account + namespace: kube-system --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 @@ -176,41 +176,29 @@ roleRef: name: cluster-admin subjects: - kind: ServiceAccount - name: default + name: kube-policy-service-account namespace: kube-system --- apiVersion: extensions/v1beta1 -kind: DaemonSet +kind: Deployment metadata: + namespace: kube-system + name: kube-policy-deployment labels: app: kube-policy - tier: node - name: kube-policy-daemon - namespace: kube-system spec: + replicas: 1 template: metadata: labels: app: kube-policy - tier: node spec: - #serviceAccountName: kube-policy-service-account - #serviceAccount: kube-policy-service-account + serviceAccountName: kube-policy-service-account containers: - - name: kube-policy - image: nirmata/kube-policy:latest - imagePullPolicy: IfNotPresent - ports: - - containerPort: 443 - securityContext: - privileged: true - hostNetwork: true - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists - - effect: NoSchedule - key: node.kubernetes.io/not-ready - operator: Exists + - name: kube-policy + image: nirmata/kube-policy:latest + imagePullPolicy: IfNotPresent + ports: + - containerPort: 443 + securityContext: + privileged: true From c662f1c9dbead353a52df58f1a83a8e402323df0 Mon Sep 17 00:00:00 2001 From: belyshevdenis Date: Thu, 21 Mar 2019 18:09:14 +0200 Subject: [PATCH 4/4] NK-31: Renamed constants package to config --- constants/constants.go => config/config.go | 2 +- init.go | 10 +++++----- main.go | 3 +-- server/server.go | 14 +++++++------- webhooks/registration.go | 18 +++++++++--------- 5 files changed, 23 insertions(+), 24 deletions(-) rename constants/constants.go => config/config.go (95%) diff --git a/constants/constants.go b/config/config.go similarity index 95% rename from constants/constants.go rename to config/config.go index 7bfd24e07c..4ca7879709 100644 --- a/constants/constants.go +++ b/config/config.go @@ -1,4 +1,4 @@ -package constants +package config const ( // These constants MUST be equal to the corresponding names in service definition in definitions/install.yaml diff --git a/init.go b/init.go index d8ec4cd7c6..f7cff8345a 100644 --- a/init.go +++ b/init.go @@ -6,7 +6,7 @@ import ( "net/url" "github.com/nirmata/kube-policy/kubeclient" - "github.com/nirmata/kube-policy/constants" + "github.com/nirmata/kube-policy/config" "github.com/nirmata/kube-policy/utils" rest "k8s.io/client-go/rest" @@ -44,14 +44,14 @@ func readTlsPairFromFiles(certFile, keyFile string) *utils.TlsPemPair { // Loads or creates PEM private key and TLS certificate for webhook server // Returns struct with key/certificate pair -func initTlsPemsPair(config *rest.Config, client *kubeclient.KubeClient) (*utils.TlsPemPair, error) { - apiServerUrl, err := url.Parse(config.Host) +func initTlsPemsPair(configuration *rest.Config, client *kubeclient.KubeClient) (*utils.TlsPemPair, error) { + apiServerUrl, err := url.Parse(configuration.Host) if err != nil { return nil, err } certProps := utils.TlsCertificateProps{ - Service: constants.WebhookServiceName, - Namespace: constants.WebhookServiceNamespace, + Service: config.WebhookServiceName, + Namespace: config.WebhookServiceNamespace, ApiServerHost: apiServerUrl.Hostname(), } diff --git a/main.go b/main.go index cb728a4c57..0e93ed2192 100644 --- a/main.go +++ b/main.go @@ -64,8 +64,7 @@ func main() { controller.Run(stopCh) if err != nil { - log.Fatalf("Error running PolicyController! Error: %s\n", err) - return + log.Fatalf("Error running PolicyController: %s\n", err) } log.Println("Policy Controller has started") diff --git a/server/server.go b/server/server.go index 0c1d3957e8..64b0c153be 100644 --- a/server/server.go +++ b/server/server.go @@ -14,7 +14,7 @@ import ( "github.com/nirmata/kube-policy/controller" "github.com/nirmata/kube-policy/kubeclient" - "github.com/nirmata/kube-policy/constants" + "github.com/nirmata/kube-policy/config" "github.com/nirmata/kube-policy/webhooks" "github.com/nirmata/kube-policy/utils" @@ -40,23 +40,23 @@ type WebhookServerConfig struct { // NewWebhookServer creates new instance of WebhookServer accordingly to given configuration // Policy Controller and Kubernetes Client should be initialized in configuration -func NewWebhookServer(config WebhookServerConfig, logger *log.Logger) (*WebhookServer, error) { +func NewWebhookServer(configuration WebhookServerConfig, logger *log.Logger) (*WebhookServer, error) { if logger == nil { logger = log.New(os.Stdout, "HTTPS Server: ", log.LstdFlags|log.Lshortfile) } - if config.TlsPemPair == nil || config.Controller == nil || config.Kubeclient == nil { + if configuration.TlsPemPair == nil || configuration.Controller == nil || configuration.Kubeclient == nil { return nil, errors.New("WebhookServerConfig is not initialized properly") } var tlsConfig tls.Config - pair, err := tls.X509KeyPair(config.TlsPemPair.Certificate, config.TlsPemPair.PrivateKey) + pair, err := tls.X509KeyPair(configuration.TlsPemPair.Certificate, configuration.TlsPemPair.PrivateKey) if err != nil { return nil, err } tlsConfig.Certificates = []tls.Certificate{pair} - mw, err := webhooks.NewMutationWebhook(config.Kubeclient, config.Controller, logger) + mw, err := webhooks.NewMutationWebhook(configuration.Kubeclient, configuration.Controller, logger) if err != nil { return nil, err } @@ -67,7 +67,7 @@ func NewWebhookServer(config WebhookServerConfig, logger *log.Logger) (*WebhookS } mux := http.NewServeMux() - mux.HandleFunc(constants.WebhookServicePath, ws.serve) + mux.HandleFunc(config.WebhookServicePath, ws.serve) ws.server = http.Server{ Addr: ":443", // Listen on port for HTTPS requests @@ -83,7 +83,7 @@ func NewWebhookServer(config WebhookServerConfig, logger *log.Logger) (*WebhookS // Main server endpoint for all requests func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) { - if r.URL.Path == constants.WebhookServicePath { + if r.URL.Path == config.WebhookServicePath { admissionReview := ws.parseAdmissionReview(r, w) if admissionReview == nil { return diff --git a/webhooks/registration.go b/webhooks/registration.go index ab3f546ead..63cbdb9ecf 100644 --- a/webhooks/registration.go +++ b/webhooks/registration.go @@ -3,7 +3,7 @@ package webhooks import ( "io/ioutil" - "github.com/nirmata/kube-policy/constants" + "github.com/nirmata/kube-policy/config" rest "k8s.io/client-go/rest" meta "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -25,22 +25,22 @@ func RegisterMutationWebhook(config *rest.Config) error { return nil } -func constructWebhookConfig(config *rest.Config) *adm.MutatingWebhookConfiguration { +func constructWebhookConfig(configuration *rest.Config) *adm.MutatingWebhookConfiguration { return &adm.MutatingWebhookConfiguration { ObjectMeta: meta.ObjectMeta { - Name: constants.WebhookConfigName, - Labels: constants.WebhookConfigLabels, + Name: config.WebhookConfigName, + Labels: config.WebhookConfigLabels, }, Webhooks: []adm.Webhook { adm.Webhook { - Name: constants.MutationWebhookName, + Name: config.MutationWebhookName, ClientConfig: adm.WebhookClientConfig { Service: &adm.ServiceReference { - Namespace: constants.WebhookServiceNamespace, - Name: constants.WebhookServiceName, - Path: &constants.WebhookServicePath, + Namespace: config.WebhookServiceNamespace, + Name: config.WebhookServiceName, + Path: &config.WebhookServicePath, }, - CABundle: ExtractCA(config), + CABundle: ExtractCA(configuration), }, Rules: []adm.RuleWithOperations { adm.RuleWithOperations {