mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
initialize configmap resolver in background components (#5705)
Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting
GitHub
parent
e0f0fdf242
commit
810b1335b6
11 changed files with 114 additions and 71 deletions
|
|
@ -117,6 +117,7 @@ func createNonLeaderControllers(
|
|||
policyCache policycache.Cache,
|
||||
eventGenerator event.Interface,
|
||||
manager openapi.Manager,
|
||||
informerCacheResolvers resolvers.ConfigmapResolver,
|
||||
) ([]internal.Controller, func() error) {
|
||||
policyCacheController := policycachecontroller.NewController(
|
||||
dynamicClient,
|
||||
|
|
@ -143,6 +144,7 @@ func createNonLeaderControllers(
|
|||
kubeKyvernoInformer.Core().V1().Pods(),
|
||||
eventGenerator,
|
||||
configuration,
|
||||
informerCacheResolvers,
|
||||
)
|
||||
return []internal.Controller{
|
||||
internal.NewController(policycachecontroller.ControllerName, policyCacheController, policycachecontroller.Workers),
|
||||
|
|
@ -166,6 +168,7 @@ func createReportControllers(
|
|||
metadataFactory metadatainformers.SharedInformerFactory,
|
||||
kubeInformer kubeinformers.SharedInformerFactory,
|
||||
kyvernoInformer kyvernoinformer.SharedInformerFactory,
|
||||
configMapResolver resolvers.ConfigmapResolver,
|
||||
) ([]internal.Controller, func(context.Context) error) {
|
||||
var ctrls []internal.Controller
|
||||
var warmups []func(context.Context) error
|
||||
|
|
@ -219,6 +222,7 @@ func createReportControllers(
|
|||
kyvernoV1.ClusterPolicies(),
|
||||
kubeInformer.Core().V1().Namespaces(),
|
||||
resourceReportController,
|
||||
configMapResolver,
|
||||
),
|
||||
backgroundScanWorkers,
|
||||
))
|
||||
|
|
@ -255,6 +259,7 @@ func createrLeaderControllers(
|
|||
eventGenerator event.Interface,
|
||||
certRenewer tls.CertRenewer,
|
||||
runtime runtimeutils.Runtime,
|
||||
configMapResolver resolvers.ConfigmapResolver,
|
||||
) ([]internal.Controller, func(context.Context) error, error) {
|
||||
policyCtrl, err := policy.NewPolicyController(
|
||||
kyvernoClient,
|
||||
|
|
@ -266,6 +271,7 @@ func createrLeaderControllers(
|
|||
configuration,
|
||||
eventGenerator,
|
||||
kubeInformer.Core().V1().Namespaces(),
|
||||
configMapResolver,
|
||||
logging.WithName("PolicyController"),
|
||||
time.Hour,
|
||||
metricsConfig,
|
||||
|
|
@ -329,6 +335,7 @@ func createrLeaderControllers(
|
|||
metadataInformer,
|
||||
kubeInformer,
|
||||
kyvernoInformer,
|
||||
configMapResolver,
|
||||
)
|
||||
return append(
|
||||
[]internal.Controller{
|
||||
|
|
@ -504,6 +511,7 @@ func main() {
|
|||
policyCache,
|
||||
eventGenerator,
|
||||
openApiManager,
|
||||
configMapResolver,
|
||||
)
|
||||
// start informers and wait for cache sync
|
||||
if !internal.StartInformersAndWaitForCacheSync(signalCtx, kyvernoInformer, kubeInformer, kubeKyvernoInformer, cacheInformer) {
|
||||
|
|
@ -561,6 +569,7 @@ func main() {
|
|||
eventGenerator,
|
||||
certRenewer,
|
||||
runtime,
|
||||
configMapResolver,
|
||||
)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to create leader controllers")
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
"github.com/kyverno/kyverno/pkg/engine/context"
|
||||
"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
|
||||
utils "github.com/kyverno/kyverno/pkg/utils"
|
||||
"github.com/pkg/errors"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
|
|
@ -20,6 +21,7 @@ func NewBackgroundContext(dclient dclient.Interface, ur *kyvernov1beta1.UpdateRe
|
|||
policy kyvernov1.PolicyInterface,
|
||||
trigger *unstructured.Unstructured,
|
||||
cfg config.Configuration,
|
||||
informerCacheResolvers resolvers.ConfigmapResolver,
|
||||
namespaceLabels map[string]string,
|
||||
logger logr.Logger,
|
||||
) (*engine.PolicyContext, bool, error) {
|
||||
|
|
@ -84,7 +86,8 @@ func NewBackgroundContext(dclient dclient.Interface, ur *kyvernov1beta1.UpdateRe
|
|||
WithAdmissionInfo(ur.Spec.Context.UserRequestInfo).
|
||||
WithConfiguration(cfg).
|
||||
WithNamespaceLabels(namespaceLabels).
|
||||
WithClient(dclient)
|
||||
WithClient(dclient).
|
||||
WithInformerCacheResolver(informerCacheResolvers)
|
||||
|
||||
return policyContext, false, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
|
||||
"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
|
||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||
"github.com/kyverno/kyverno/pkg/engine/utils"
|
||||
"github.com/kyverno/kyverno/pkg/engine/variables"
|
||||
|
|
@ -52,8 +53,9 @@ type GenerateController struct {
|
|||
policyLister kyvernov1listers.ClusterPolicyLister
|
||||
npolicyLister kyvernov1listers.PolicyLister
|
||||
|
||||
configuration config.Configuration
|
||||
eventGen event.Interface
|
||||
configuration config.Configuration
|
||||
informerCacheResolvers resolvers.ConfigmapResolver
|
||||
eventGen event.Interface
|
||||
|
||||
log logr.Logger
|
||||
}
|
||||
|
|
@ -69,21 +71,23 @@ func NewGenerateController(
|
|||
urLister kyvernov1beta1listers.UpdateRequestNamespaceLister,
|
||||
nsLister corev1listers.NamespaceLister,
|
||||
dynamicConfig config.Configuration,
|
||||
informerCacheResolvers resolvers.ConfigmapResolver,
|
||||
eventGen event.Interface,
|
||||
log logr.Logger,
|
||||
) *GenerateController {
|
||||
c := GenerateController{
|
||||
client: client,
|
||||
kyvernoClient: kyvernoClient,
|
||||
statusControl: statusControl,
|
||||
rclient: rclient,
|
||||
policyLister: policyLister,
|
||||
npolicyLister: npolicyLister,
|
||||
urLister: urLister,
|
||||
nsLister: nsLister,
|
||||
configuration: dynamicConfig,
|
||||
eventGen: eventGen,
|
||||
log: log,
|
||||
client: client,
|
||||
kyvernoClient: kyvernoClient,
|
||||
statusControl: statusControl,
|
||||
rclient: rclient,
|
||||
policyLister: policyLister,
|
||||
npolicyLister: npolicyLister,
|
||||
urLister: urLister,
|
||||
nsLister: nsLister,
|
||||
configuration: dynamicConfig,
|
||||
informerCacheResolvers: informerCacheResolvers,
|
||||
eventGen: eventGen,
|
||||
log: log,
|
||||
}
|
||||
return &c
|
||||
}
|
||||
|
|
@ -193,7 +197,7 @@ func (c *GenerateController) applyGenerate(resource unstructured.Unstructured, u
|
|||
return nil, false, err
|
||||
}
|
||||
|
||||
policyContext, precreatedResource, err := common.NewBackgroundContext(c.client, &ur, &policy, &resource, c.configuration, namespaceLabels, logger)
|
||||
policyContext, precreatedResource, err := common.NewBackgroundContext(c.client, &ur, &policy, &resource, c.configuration, c.informerCacheResolvers, namespaceLabels, logger)
|
||||
if err != nil {
|
||||
return nil, precreatedResource, err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
|
||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||
"github.com/kyverno/kyverno/pkg/event"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
|
|
@ -35,8 +36,9 @@ type MutateExistingController struct {
|
|||
policyLister kyvernov1listers.ClusterPolicyLister
|
||||
npolicyLister kyvernov1listers.PolicyLister
|
||||
|
||||
configuration config.Configuration
|
||||
eventGen event.Interface
|
||||
configuration config.Configuration
|
||||
informerCacheResolvers resolvers.ConfigmapResolver
|
||||
eventGen event.Interface
|
||||
|
||||
log logr.Logger
|
||||
}
|
||||
|
|
@ -49,18 +51,20 @@ func NewMutateExistingController(
|
|||
policyLister kyvernov1listers.ClusterPolicyLister,
|
||||
npolicyLister kyvernov1listers.PolicyLister,
|
||||
dynamicConfig config.Configuration,
|
||||
informerCacheResolvers resolvers.ConfigmapResolver,
|
||||
eventGen event.Interface,
|
||||
log logr.Logger,
|
||||
) *MutateExistingController {
|
||||
c := MutateExistingController{
|
||||
client: client,
|
||||
statusControl: statusControl,
|
||||
rclient: rclient,
|
||||
policyLister: policyLister,
|
||||
npolicyLister: npolicyLister,
|
||||
configuration: dynamicConfig,
|
||||
eventGen: eventGen,
|
||||
log: log,
|
||||
client: client,
|
||||
statusControl: statusControl,
|
||||
rclient: rclient,
|
||||
policyLister: policyLister,
|
||||
npolicyLister: npolicyLister,
|
||||
configuration: dynamicConfig,
|
||||
informerCacheResolvers: informerCacheResolvers,
|
||||
eventGen: eventGen,
|
||||
log: log,
|
||||
}
|
||||
return &c
|
||||
}
|
||||
|
|
@ -87,7 +91,7 @@ func (c *MutateExistingController) ProcessUR(ur *kyvernov1beta1.UpdateRequest) e
|
|||
continue
|
||||
}
|
||||
|
||||
policyContext, _, err := common.NewBackgroundContext(c.client, ur, policy, trigger, c.configuration, nil, logger)
|
||||
policyContext, _, err := common.NewBackgroundContext(c.client, ur, policy, trigger, c.configuration, c.informerCacheResolvers, nil, logger)
|
||||
if err != nil {
|
||||
logger.WithName(rule.Name).Error(err, "failed to build policy context")
|
||||
errs = append(errs, err)
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
pkgCommon "github.com/kyverno/kyverno/pkg/common"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
|
||||
"github.com/kyverno/kyverno/pkg/event"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
||||
|
|
@ -61,8 +62,9 @@ type controller struct {
|
|||
// queue
|
||||
queue workqueue.RateLimitingInterface
|
||||
|
||||
eventGen event.Interface
|
||||
configuration config.Configuration
|
||||
eventGen event.Interface
|
||||
configuration config.Configuration
|
||||
informerCacheResolvers resolvers.ConfigmapResolver
|
||||
}
|
||||
|
||||
// NewController returns an instance of the Generate-Request Controller
|
||||
|
|
@ -77,20 +79,22 @@ func NewController(
|
|||
podInformer corev1informers.PodInformer,
|
||||
eventGen event.Interface,
|
||||
dynamicConfig config.Configuration,
|
||||
informerCacheResolvers resolvers.ConfigmapResolver,
|
||||
) Controller {
|
||||
urLister := urInformer.Lister().UpdateRequests(config.KyvernoNamespace())
|
||||
c := controller{
|
||||
client: client,
|
||||
kyvernoClient: kyvernoClient,
|
||||
rclient: rclient,
|
||||
cpolLister: cpolInformer.Lister(),
|
||||
polLister: polInformer.Lister(),
|
||||
urLister: urLister,
|
||||
nsLister: namespaceInformer.Lister(),
|
||||
podLister: podInformer.Lister(),
|
||||
queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "update-request"),
|
||||
eventGen: eventGen,
|
||||
configuration: dynamicConfig,
|
||||
client: client,
|
||||
kyvernoClient: kyvernoClient,
|
||||
rclient: rclient,
|
||||
cpolLister: cpolInformer.Lister(),
|
||||
polLister: polInformer.Lister(),
|
||||
urLister: urLister,
|
||||
nsLister: namespaceInformer.Lister(),
|
||||
podLister: podInformer.Lister(),
|
||||
queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "update-request"),
|
||||
eventGen: eventGen,
|
||||
configuration: dynamicConfig,
|
||||
informerCacheResolvers: informerCacheResolvers,
|
||||
}
|
||||
urInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
|
||||
AddFunc: c.addUR,
|
||||
|
|
@ -409,10 +413,10 @@ func (c *controller) processUR(ur *kyvernov1beta1.UpdateRequest) error {
|
|||
statusControl := common.NewStatusControl(c.kyvernoClient, c.urLister)
|
||||
switch ur.Spec.Type {
|
||||
case kyvernov1beta1.Mutate:
|
||||
ctrl := mutate.NewMutateExistingController(c.client, statusControl, c.rclient, c.cpolLister, c.polLister, c.configuration, c.eventGen, logger)
|
||||
ctrl := mutate.NewMutateExistingController(c.client, statusControl, c.rclient, c.cpolLister, c.polLister, c.configuration, c.informerCacheResolvers, c.eventGen, logger)
|
||||
return ctrl.ProcessUR(ur)
|
||||
case kyvernov1beta1.Generate:
|
||||
ctrl := generate.NewGenerateController(c.client, c.kyvernoClient, statusControl, c.rclient, c.cpolLister, c.polLister, c.urLister, c.nsLister, c.configuration, c.eventGen, logger)
|
||||
ctrl := generate.NewGenerateController(c.client, c.kyvernoClient, statusControl, c.rclient, c.cpolLister, c.polLister, c.urLister, c.nsLister, c.configuration, c.informerCacheResolvers, c.eventGen, logger)
|
||||
return ctrl.ProcessUR(ur)
|
||||
}
|
||||
return nil
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/controllers"
|
||||
"github.com/kyverno/kyverno/pkg/controllers/report/resource"
|
||||
"github.com/kyverno/kyverno/pkg/controllers/report/utils"
|
||||
"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
|
||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
|
||||
|
|
@ -58,6 +59,8 @@ type controller struct {
|
|||
|
||||
// cache
|
||||
metadataCache resource.MetadataCache
|
||||
|
||||
informerCacheResolvers resolvers.ConfigmapResolver
|
||||
}
|
||||
|
||||
func NewController(
|
||||
|
|
@ -69,23 +72,25 @@ func NewController(
|
|||
cpolInformer kyvernov1informers.ClusterPolicyInformer,
|
||||
nsInformer corev1informers.NamespaceInformer,
|
||||
metadataCache resource.MetadataCache,
|
||||
informerCacheResolvers resolvers.ConfigmapResolver,
|
||||
) controllers.Controller {
|
||||
bgscanr := metadataFactory.ForResource(kyvernov1alpha2.SchemeGroupVersion.WithResource("backgroundscanreports"))
|
||||
cbgscanr := metadataFactory.ForResource(kyvernov1alpha2.SchemeGroupVersion.WithResource("clusterbackgroundscanreports"))
|
||||
queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), ControllerName)
|
||||
c := controller{
|
||||
client: client,
|
||||
kyvernoClient: kyvernoClient,
|
||||
rclient: rclient,
|
||||
polLister: polInformer.Lister(),
|
||||
cpolLister: cpolInformer.Lister(),
|
||||
bgscanrLister: bgscanr.Lister(),
|
||||
cbgscanrLister: cbgscanr.Lister(),
|
||||
nsLister: nsInformer.Lister(),
|
||||
queue: queue,
|
||||
bgscanEnqueue: controllerutils.AddDefaultEventHandlers(logger, bgscanr.Informer(), queue),
|
||||
cbgscanEnqueue: controllerutils.AddDefaultEventHandlers(logger, cbgscanr.Informer(), queue),
|
||||
metadataCache: metadataCache,
|
||||
client: client,
|
||||
kyvernoClient: kyvernoClient,
|
||||
rclient: rclient,
|
||||
polLister: polInformer.Lister(),
|
||||
cpolLister: cpolInformer.Lister(),
|
||||
bgscanrLister: bgscanr.Lister(),
|
||||
cbgscanrLister: cbgscanr.Lister(),
|
||||
nsLister: nsInformer.Lister(),
|
||||
queue: queue,
|
||||
bgscanEnqueue: controllerutils.AddDefaultEventHandlers(logger, bgscanr.Informer(), queue),
|
||||
cbgscanEnqueue: controllerutils.AddDefaultEventHandlers(logger, cbgscanr.Informer(), queue),
|
||||
metadataCache: metadataCache,
|
||||
informerCacheResolvers: informerCacheResolvers,
|
||||
}
|
||||
controllerutils.AddEventHandlersT(polInformer.Informer(), c.addPolicy, c.updatePolicy, c.deletePolicy)
|
||||
controllerutils.AddEventHandlersT(cpolInformer.Informer(), c.addPolicy, c.updatePolicy, c.deletePolicy)
|
||||
|
|
@ -218,7 +223,7 @@ func (c *controller) updateReport(ctx context.Context, meta metav1.Object, gvk s
|
|||
}
|
||||
// if the resource changed, we need to rebuild the report
|
||||
if !reportutils.CompareHash(meta, resource.Hash) {
|
||||
scanner := utils.NewScanner(logger, c.client, c.rclient)
|
||||
scanner := utils.NewScanner(logger, c.client, c.rclient, c.informerCacheResolvers)
|
||||
before, err := c.getReport(ctx, meta.GetNamespace(), meta.GetName())
|
||||
if err != nil {
|
||||
return nil
|
||||
|
|
@ -307,7 +312,7 @@ func (c *controller) updateReport(ctx context.Context, meta metav1.Object, gvk s
|
|||
}
|
||||
// creations
|
||||
if len(toCreate) > 0 {
|
||||
scanner := utils.NewScanner(logger, c.client, c.rclient)
|
||||
scanner := utils.NewScanner(logger, c.client, c.rclient, c.informerCacheResolvers)
|
||||
resource, err := c.client.GetResource(ctx, gvk.GroupVersion().String(), gvk.Kind, resource.Namespace, resource.Name)
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
|
||||
"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
|
||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
"go.uber.org/multierr"
|
||||
|
|
@ -15,10 +16,11 @@ import (
|
|||
)
|
||||
|
||||
type scanner struct {
|
||||
logger logr.Logger
|
||||
client dclient.Interface
|
||||
rclient registryclient.Client
|
||||
excludeGroupRole []string
|
||||
logger logr.Logger
|
||||
client dclient.Interface
|
||||
rclient registryclient.Client
|
||||
informerCacheResolvers resolvers.ConfigmapResolver
|
||||
excludeGroupRole []string
|
||||
}
|
||||
|
||||
type ScanResult struct {
|
||||
|
|
@ -30,12 +32,13 @@ type Scanner interface {
|
|||
ScanResource(context.Context, unstructured.Unstructured, map[string]string, ...kyvernov1.PolicyInterface) map[kyvernov1.PolicyInterface]ScanResult
|
||||
}
|
||||
|
||||
func NewScanner(logger logr.Logger, client dclient.Interface, rclient registryclient.Client, excludeGroupRole ...string) Scanner {
|
||||
func NewScanner(logger logr.Logger, client dclient.Interface, rclient registryclient.Client, informerCacheResolvers resolvers.ConfigmapResolver, excludeGroupRole ...string) Scanner {
|
||||
return &scanner{
|
||||
logger: logger,
|
||||
client: client,
|
||||
rclient: rclient,
|
||||
excludeGroupRole: excludeGroupRole,
|
||||
logger: logger,
|
||||
client: client,
|
||||
rclient: rclient,
|
||||
informerCacheResolvers: informerCacheResolvers,
|
||||
excludeGroupRole: excludeGroupRole,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -85,7 +88,8 @@ func (s *scanner) validateResource(ctx context.Context, resource unstructured.Un
|
|||
WithPolicy(policy).
|
||||
WithClient(s.client).
|
||||
WithNamespaceLabels(nsLabels).
|
||||
WithExcludeGroupRole(s.excludeGroupRole...)
|
||||
WithExcludeGroupRole(s.excludeGroupRole...).
|
||||
WithInformerCacheResolver(s.informerCacheResolvers)
|
||||
return engine.Validate(ctx, s.rclient, policyCtx), nil
|
||||
}
|
||||
|
||||
|
|
@ -108,7 +112,8 @@ func (s *scanner) validateImages(ctx context.Context, resource unstructured.Unst
|
|||
WithPolicy(policy).
|
||||
WithClient(s.client).
|
||||
WithNamespaceLabels(nsLabels).
|
||||
WithExcludeGroupRole(s.excludeGroupRole...)
|
||||
WithExcludeGroupRole(s.excludeGroupRole...).
|
||||
WithInformerCacheResolver(s.informerCacheResolvers)
|
||||
response, _ := engine.VerifyAndPatchImages(ctx, s.rclient, policyCtx)
|
||||
if len(response.PolicyResponse.Rules) > 0 {
|
||||
s.logger.Info("validateImages", "policy", policy, "response", response)
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
|
||||
"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
|
||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
||||
|
|
@ -27,6 +28,7 @@ func applyPolicy(
|
|||
excludeGroupRole []string,
|
||||
client dclient.Interface,
|
||||
rclient registryclient.Client,
|
||||
informerCacheResolvers resolvers.ConfigmapResolver,
|
||||
namespaceLabels map[string]string,
|
||||
) (responses []*response.EngineResponse) {
|
||||
startTime := time.Now()
|
||||
|
|
@ -63,7 +65,7 @@ func applyPolicy(
|
|||
logger.Error(err, "unable to set operation in context")
|
||||
}
|
||||
|
||||
engineResponseMutation, err = mutation(policy, resource, logger, ctx, rclient, namespaceLabels)
|
||||
engineResponseMutation, err = mutation(policy, resource, logger, ctx, rclient, informerCacheResolvers, namespaceLabels)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to process mutation rule")
|
||||
}
|
||||
|
|
@ -73,7 +75,8 @@ func applyPolicy(
|
|||
WithNewResource(resource).
|
||||
WithNamespaceLabels(namespaceLabels).
|
||||
WithClient(client).
|
||||
WithExcludeGroupRole(excludeGroupRole...)
|
||||
WithExcludeGroupRole(excludeGroupRole...).
|
||||
WithInformerCacheResolver(informerCacheResolvers)
|
||||
|
||||
engineResponseValidation = engine.Validate(context.TODO(), rclient, policyCtx)
|
||||
engineResponses = append(engineResponses, mergeRuleRespose(engineResponseMutation, engineResponseValidation))
|
||||
|
|
@ -87,12 +90,14 @@ func mutation(
|
|||
log logr.Logger,
|
||||
jsonContext enginecontext.Interface,
|
||||
rclient registryclient.Client,
|
||||
informerCacheResolvers resolvers.ConfigmapResolver,
|
||||
namespaceLabels map[string]string,
|
||||
) (*response.EngineResponse, error) {
|
||||
policyContext := engine.NewPolicyContextWithJsonContext(jsonContext).
|
||||
WithPolicy(policy).
|
||||
WithNamespaceLabels(namespaceLabels).
|
||||
WithNewResource(resource)
|
||||
WithNewResource(resource).
|
||||
WithInformerCacheResolver(informerCacheResolvers)
|
||||
|
||||
engineResponse := engine.Mutate(context.TODO(), rclient, policyContext)
|
||||
if !engineResponse.IsSuccessful() {
|
||||
|
|
|
|||
|
|
@ -81,7 +81,7 @@ func (pc *PolicyController) applyPolicy(policy kyvernov1.PolicyInterface, resour
|
|||
}
|
||||
|
||||
namespaceLabels := common.GetNamespaceSelectorsFromNamespaceLister(resource.GetKind(), resource.GetNamespace(), pc.nsLister, logger)
|
||||
engineResponse := applyPolicy(policy, resource, logger, pc.configHandler.GetExcludeGroupRole(), pc.client, pc.rclient, namespaceLabels)
|
||||
engineResponse := applyPolicy(policy, resource, logger, pc.configHandler.GetExcludeGroupRole(), pc.client, pc.rclient, pc.informerCacheResolvers, namespaceLabels)
|
||||
engineResponses = append(engineResponses, engineResponse...)
|
||||
|
||||
// post-processing, register the resource as processed
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@ import (
|
|||
kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1"
|
||||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
|
||||
"github.com/kyverno/kyverno/pkg/event"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
|
|
@ -77,6 +78,8 @@ type PolicyController struct {
|
|||
// nsLister can list/get namespaces from the shared informer's store
|
||||
nsLister corev1listers.NamespaceLister
|
||||
|
||||
informerCacheResolvers resolvers.ConfigmapResolver
|
||||
|
||||
informersSynced []cache.InformerSynced
|
||||
|
||||
// Resource manager, manages the mapping for already processed resource
|
||||
|
|
@ -103,6 +106,7 @@ func NewPolicyController(
|
|||
configHandler config.Configuration,
|
||||
eventGen event.Interface,
|
||||
namespaces corev1informers.NamespaceInformer,
|
||||
informerCacheResolvers resolvers.ConfigmapResolver,
|
||||
log logr.Logger,
|
||||
reconcilePeriod time.Duration,
|
||||
metricsConfig metrics.MetricsConfigManager,
|
||||
|
|
|
|||
|
|
@ -100,7 +100,7 @@ func (pc *PolicyController) updateUR(policyKey string, policy kyvernov1.PolicyIn
|
|||
}
|
||||
|
||||
func (pc *PolicyController) handleUpdateRequest(ur *kyvernov1beta1.UpdateRequest, triggerResource *unstructured.Unstructured, rule kyvernov1.Rule, policy kyvernov1.PolicyInterface) (skip bool, err error) {
|
||||
policyContext, _, err := common.NewBackgroundContext(pc.client, ur, policy, triggerResource, pc.configHandler, nil, pc.log)
|
||||
policyContext, _, err := common.NewBackgroundContext(pc.client, ur, policy, triggerResource, pc.configHandler, pc.informerCacheResolvers, nil, pc.log)
|
||||
if err != nil {
|
||||
return false, errors.Wrapf(err, "failed to build policy context for rule %s", rule.Name)
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue