initial prototype commit

2025-03-31 03:45:17 +00:00 · 2019-06-17 23:41:18 -07:00 · 2019-06-17 23:41:18 -07:00 · 6fd7cba0ea
commit 6fd7cba0ea
parent 6565cf43d0
2 changed files with 41 additions and 9 deletions
--- a/main.go
+++ b/main.go
@ -2,6 +2,7 @@ package main

 import (
 	"flag"
+	"strings"

 	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
@ -15,8 +16,9 @@ import (
 )

 var (
-	kubeconfig string
-	serverIP   string
+	kubeconfig    string
+	serverIP      string
+	filterK8Kinds arrayFlags
 )

 func main() {
@ -51,7 +53,7 @@ func main() {
 		glog.Fatalf("Failed to initialize TLS key/certificate pair: %v\n", err)
 	}

-	server, err := webhooks.NewWebhookServer(client, tlsPair, policyInformerFactory)
+	server, err := webhooks.NewWebhookServer(client, tlsPair, policyInformerFactory, filterK8Kinds)
 	if err != nil {
 		glog.Fatalf("Unable to create webhook server: %v\n", err)
 	}
@ -80,9 +82,24 @@ func main() {
 	policyController.Stop()
 }

+type arrayFlags []string
+
+func (i *arrayFlags) String() string {
+	var sb strings.Builder
+	for _, str := range *i {
+		sb.WriteString(str)
+	}
+	return sb.String()
+}
+
+func (i *arrayFlags) Set(value string) error {
+	*i = append(*i, value)
+	return nil
+}
 func init() {
 	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
 	flag.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.")
+	flag.Var(&filterK8Kinds, "filterKind", "k8 kinds where polcies are not to be applied on")
 	config.LogDefaultFlags()
 	flag.Parse()
 }
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -29,6 +29,7 @@ type WebhookServer struct {
 	server       http.Server
 	client       *client.Client
 	policyLister v1alpha1.PolicyLister
+	filterKinds  []string
 }

 // NewWebhookServer creates new instance of WebhookServer accordingly to given configuration
@ -36,7 +37,8 @@ type WebhookServer struct {
 func NewWebhookServer(
 	client *client.Client,
 	tlsPair *tlsutils.TlsPemPair,
-	shareInformer sharedinformer.PolicyInformer) (*WebhookServer, error) {
+	shareInformer sharedinformer.PolicyInformer,
+	filterKinds []string) (*WebhookServer, error) {

 	if tlsPair == nil {
 		return nil, errors.New("NewWebhookServer is not initialized properly")
@ -52,6 +54,7 @@ func NewWebhookServer(
 	ws := &WebhookServer{
 		client:       client,
 		policyLister: shareInformer.GetLister(),
+		filterKinds:  filterKinds,
 	}

 	mux := http.NewServeMux()
@ -79,11 +82,14 @@ func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
 	admissionReview.Response = &v1beta1.AdmissionResponse{
 		Allowed: true,
 	}
-	switch r.URL.Path {
-	case config.MutatingWebhookServicePath:
-		admissionReview.Response = ws.HandleMutation(admissionReview.Request)
-	case config.ValidatingWebhookServicePath:
-		admissionReview.Response = ws.HandleValidation(admissionReview.Request)
+	if !stringInSlice(admissionReview.Request.Kind.Kind, ws.filterKinds) {
+
+		switch r.URL.Path {
+		case config.MutatingWebhookServicePath:
+			admissionReview.Response = ws.HandleMutation(admissionReview.Request)
+		case config.ValidatingWebhookServicePath:
+			admissionReview.Response = ws.HandleValidation(admissionReview.Request)
+		}
 	}

 	admissionReview.Response.UID = admissionReview.Request.UID
@ -101,6 +107,15 @@ func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
 	}
 }

+func stringInSlice(kind string, list []string) bool {
+	for _, b := range list {
+		if b == kind {
+			return true
+		}
+	}
+	return false
+}
+
 // RunAsync TLS server in separate thread and returns control immediately
 func (ws *WebhookServer) RunAsync() {
 	go func(ws *WebhookServer) {