mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-29 02:45:06 +00:00
Code Activity

cronjob added

Browse source
This commit is contained in:
evalsocket 2020-09-15 11:20:08 -07:00
parent 573496f318
commit 6aa9876f9f
15 changed files with 303 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
charts/kyverno/crds/crds.yaml
View file

@ -275,7 +275,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.5
controller-gen.kubebuilder.io/version: v0.2.4
creationTimestamp: null
name: clusterpolicyreports.policy.kubernetes.io
spec:
@ -960,7 +960,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.5
controller-gen.kubebuilder.io/version: v0.2.4
creationTimestamp: null
name: policyreports.policy.kubernetes.io
spec:
@ -1171,6 +1171,47 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes (e.g.
Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the operator
is Exists or DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
summary:
description: PolicyReportSummary provides a summary of results
properties:

25
charts/kyverno/templates/cronjob.yaml Normal file
View file

@ -0,0 +1,25 @@
{{- if (not .Values.job.enableBackgroundScan) }}
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: {{ .Values.job.name | quote }}
labels: {{ include "kyverno.labels" . | nindent 4 }}
namespace: {{ .Release.Namespace }}
spec:
schedule: {{ .Values.job.schedule | quote }}
concurrencyPolicy : Forbid
suspend : true
successfulJobsHistoryLimit : 4
failedJobsHistoryLimit : 4
jobTemplate:
spec:
template:
spec:
containers:
- name: {{ .Values.job.name | quote }}
image: {{ .Values.job.image | quote }}
args:
- report
- all
restartPolicy: OnFailure
{{- end -}}

9
charts/kyverno/values.yaml
View file

@ -126,4 +126,11 @@ service:
# kyverno-svc.kyverno.svc.kyverno-tls-key-pair (with data entries named tls.key and tls.crt)
# 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true
# If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false
createSelfSignedCert: false
createSelfSignedCert: false
job:
name: policyreport-background-scan
enableBackgroundScan : true
schedule : "*/6 * * * *"
image : "nirmata/kyverno-cli:latest"

2
definitions/crds/policy.kubernetes.io_clusterpolicyreports.yaml
View file

@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.5
controller-gen.kubebuilder.io/version: v0.2.4
creationTimestamp: null
name: clusterpolicyreports.policy.kubernetes.io
spec:

43
definitions/crds/policy.kubernetes.io_policyreports.yaml
View file

@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.5
controller-gen.kubebuilder.io/version: v0.2.4
creationTimestamp: null
name: policyreports.policy.kubernetes.io
spec:
@ -215,6 +215,47 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes (e.g.
Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the operator
is Exists or DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
summary:
description: PolicyReportSummary provides a summary of results
properties:

67
definitions/install.yaml
View file

@ -280,7 +280,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.5
controller-gen.kubebuilder.io/version: v0.2.4
creationTimestamp: null
name: clusterpolicyreports.policy.kubernetes.io
spec:
@ -965,7 +965,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.5
controller-gen.kubebuilder.io/version: v0.2.4
creationTimestamp: null
name: policyreports.policy.kubernetes.io
spec:
@ -1176,6 +1176,47 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes (e.g.
Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the operator
is Exists or DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
summary:
description: PolicyReportSummary provides a summary of results
properties:
@ -1744,3 +1785,25 @@ spec:
imagePullPolicy: Always
name: kyverno-pre
serviceAccountName: kyverno-service-account
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: policyreport-background-scan
spec:
concurrencyPolicy: Forbid
failedJobsHistoryLimit: 4
jobTemplate:
spec:
template:
spec:
containers:
- args:
- report
- all
image: evalsocket/kyverno-cli:latest
name: policyreport-background-scan
restartPolicy: OnFailure
schedule: '*/6 * * * *'
successfulJobsHistoryLimit: 4
suspend: true

67
definitions/install_debug.yaml
View file

@ -280,7 +280,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.5
controller-gen.kubebuilder.io/version: v0.2.4
creationTimestamp: null
name: clusterpolicyreports.policy.kubernetes.io
spec:
@ -965,7 +965,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.5
controller-gen.kubebuilder.io/version: v0.2.4
creationTimestamp: null
name: policyreports.policy.kubernetes.io
spec:
@ -1176,6 +1176,47 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes (e.g.
Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the operator
is Exists or DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
summary:
description: PolicyReportSummary provides a summary of results
properties:
@ -1677,3 +1718,25 @@ spec:
targetPort: 443
selector:
app: kyverno
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: policyreport-background-scan
spec:
concurrencyPolicy: Forbid
failedJobsHistoryLimit: 4
jobTemplate:
spec:
template:
spec:
containers:
- args:
- report
- all
image: evalsocket/kyverno-cli:latest
name: policyreport-background-scan
restartPolicy: OnFailure
schedule: '*/6 * * * *'
successfulJobsHistoryLimit: 4
suspend: true

21
definitions/k8s-resource/cronjob.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: policyreport-background-scan
spec:
schedule: "*/6 * * * *"
concurrencyPolicy : Forbid
suspend : true
successfulJobsHistoryLimit : 4
failedJobsHistoryLimit : 4
jobTemplate:
spec:
template:
spec:
containers:
- name: policyreport-background-scan
image: evalsocket/kyverno-cli:latest
args:
- report
- all
restartPolicy: OnFailure

3
definitions/k8s-resource/kustomization.yaml
View file

@ -3,4 +3,5 @@ kind: Kustomization
resources:
- ./rbac.yaml
- ./configmap.yaml
- ./configmap.yaml
- ./cronjob.yaml

9
pkg/jobs/controller.go
View file

@ -122,15 +122,6 @@ func (j *Job) Run(workers int, stopCh <-chan struct{}) {
defer utilruntime.HandleCrash()
logger.Info("start")
defer logger.Info("shutting down")
go func(configHandler config.Interface) {
for k := range time.Tick(time.Duration(configHandler.GetBackgroundSync()) * time.Second) {
j.log.V(2).Info("Background Sync sync at ", "time", k.String())
var wg sync.WaitGroup
wg.Add(1)
go j.syncKyverno(&wg, "All", "SYNC", "")
wg.Wait()
}
}(j.configHandler)
for i := 0; i < workers; i++ {
go wait.Until(j.runWorker, constant.PolicyViolationControllerResync, stopCh)
}

10
pkg/kyverno/report/allreports.go
View file

@ -34,8 +34,8 @@ func AllReportsCommand() *cobra.Command {
log.Log.Error(err, "Failed to create kubernetes client")
os.Exit(1)
}
var wg sync.WaitGroup
if mode == "cli" {
var wg sync.WaitGroup
if namespace != "" {
wg.Add(1)
go backgroundScan(namespace, All, policy, &wg, restConfig, logger)
@ -49,12 +49,12 @@ func AllReportsCommand() *cobra.Command {
go backgroundScan(n.GetName(), All, policy, &wg, restConfig, logger)
}
}
wg.Wait()
os.Exit(0)
}else{
log.Log.Error(nil, "mode is not supported","mode",mode)
os.Exit(1)
wg.Add(1)
go configmapScan(All, &wg, restConfig, logger)
}
wg.Wait()
os.Exit(0)
return nil
},
}

2
pkg/kyverno/report/cluster.go
View file

@ -32,7 +32,7 @@ func ClusterCommand() *cobra.Command {
wg.Wait()
os.Exit(0)
}
go configmapScan("", Cluster, &wg, restConfig, logger)
go configmapScan(Cluster, &wg, restConfig, logger)
wg.Wait()
os.Exit(0)
return nil

30
pkg/kyverno/report/common.go
View file

@ -191,12 +191,18 @@ func backgroundScan(n, scope, policychange string, wg *sync.WaitGroup, restConfi
switch scope {
case Cluster:
resourceMap[Cluster] = policy.ExcludePod(resourceMap[Cluster], log.Log)
delete(resourceMap,Namespace)
delete(resourceMap,Helm)
break
case Namespace:
resourceMap[Namespace] = policy.ExcludePod(resourceMap[Namespace], log.Log)
delete(resourceMap,Cluster)
delete(resourceMap,Helm)
break
case Helm:
resourceMap[Helm] = policy.ExcludePod(resourceMap[Helm], log.Log)
delete(resourceMap,Namespace)
delete(resourceMap,Cluster)
break
case All:
resourceMap[Cluster] = policy.ExcludePod(resourceMap[Cluster], log.Log)
@ -345,7 +351,7 @@ func createResults(policyContext engine.PolicyContext, key string, results map[s
return results
}
func configmapScan(n, scope string, wg *sync.WaitGroup, restConfig *rest.Config, logger logr.Logger) {
func configmapScan(scope string, wg *sync.WaitGroup, restConfig *rest.Config, logger logr.Logger) {
defer func() {
wg.Done()
}()
@ -374,15 +380,25 @@ func configmapScan(n, scope string, wg *sync.WaitGroup, restConfig *rest.Config,
}
var response map[string][]policyreport.Info
if scope == Cluster {
if err := json.Unmarshal([]byte(job.Data["Cluster"]), &response); err != nil {
if err := json.Unmarshal([]byte(job.Data[Cluster]), &response); err != nil {
lgr.Error(err, "Error in json marshal of namespace data")
}
} else if scope == Helm {
if err := json.Unmarshal([]byte(job.Data["Helm"]), &response); err != nil {
if err := json.Unmarshal([]byte(job.Data[Helm]), &response); err != nil {
lgr.Error(err, "Error in json marshal of namespace data")
}
} else if scope == Namespace {
if err := json.Unmarshal([]byte(job.Data[Namespace]), &response); err != nil {
lgr.Error(err, "Error in json marshal of namespace data")
}
} else {
if err := json.Unmarshal([]byte(job.Data["Namespace"]), &response); err != nil {
if err := json.Unmarshal([]byte(job.Data[Cluster]), &response); err != nil {
lgr.Error(err, "Error in json marshal of namespace data")
}
if err := json.Unmarshal([]byte(job.Data[Helm]), &response); err != nil {
lgr.Error(err, "Error in json marshal of namespace data")
}
if err := json.Unmarshal([]byte(job.Data[Namespace]), &response); err != nil {
lgr.Error(err, "Error in json marshal of namespace data")
}
}
@ -410,9 +426,9 @@ func configmapScan(n, scope string, wg *sync.WaitGroup, restConfig *rest.Config,
}
var appname string
// Increase Count
if scope == Cluster {
if k == Cluster {
appname = fmt.Sprintf("clusterpolicyreport")
} else if scope == Helm {
} else if k == Helm {
resource, err := dClient.GetResource(v.Resource.GetAPIVersion(), v.Resource.GetKind(), v.Resource.GetNamespace(), v.Resource.GetName())
if err != nil {
lgr.Error(err, "failed to get resource")
@ -433,7 +449,7 @@ func configmapScan(n, scope string, wg *sync.WaitGroup, restConfig *rest.Config,
}
}
fmt.Println(results)
for k := range results {
if k != "" {
continue

2
pkg/kyverno/report/helm.go
View file

@ -54,7 +54,7 @@ func HelmCommand() *cobra.Command {
}
} else {
wg.Add(1)
go configmapScan("", Helm, &wg, restConfig, logger)
go configmapScan(Helm, &wg, restConfig, logger)
}
wg.Wait()
os.Exit(0)

2
pkg/kyverno/report/namespace.go
View file

@ -53,7 +53,7 @@ func NamespaceCommand() *cobra.Command {
}
} else {
wg.Add(1)
go configmapScan("", Namespace, &wg, restConfig, logger)
go configmapScan( Namespace, &wg, restConfig, logger)
}
wg.Wait()
os.Exit(0)