refactor: use typed informers and add tombstone support to webhookconfig (#3736)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
2025-04-15 08:46:36 +00:00 · 2022-05-02 10:19:39 +02:00 · 2022-05-02 10:19:39 +02:00 · 87880ad6f1
commit 87880ad6f1
parent 3cb620499e
2 changed files with 53 additions and 28 deletions
--- a/pkg/webhookconfig/configmanager.go
+++ b/pkg/webhookconfig/configmanager.go
@ -41,7 +41,7 @@ var DefaultWebhookTimeout int64 = 10
 // it is NOT multi-thread safe
 type webhookConfigManager struct {
 	client        *client.Client
-	kyvernoClient *kyvernoclient.Clientset
+	kyvernoClient kyvernoclient.Interface

 	pInformer  kyvernoinformer.ClusterPolicyInformer
 	npInformer kyvernoinformer.PolicyInformer
@ -60,8 +60,8 @@ type webhookConfigManager struct {

 	resCache resourcecache.ResourceCache

-	mutateInformer         cache.SharedIndexInformer
-	validateInformer       cache.SharedIndexInformer
+	mutateInformer         adminformers.MutatingWebhookConfigurationInformer
+	validateInformer       adminformers.ValidatingWebhookConfigurationInformer
 	mutateLister           admlisters.MutatingWebhookConfigurationLister
 	validateLister         admlisters.ValidatingWebhookConfigurationLister
 	mutateInformerSynced   cache.InformerSynced
@ -119,15 +119,12 @@ func newWebhookConfigManager(

 	m.pLister = pInformer.Lister()
 	m.npLister = npInformer.Lister()
-
 	m.pListerSynced = pInformer.Informer().HasSynced
 	m.npListerSynced = npInformer.Informer().HasSynced
-
-	m.mutateInformer = mwcInformer.Informer()
+	m.mutateInformer = mwcInformer
 	m.mutateLister = mwcInformer.Lister()
 	m.mutateInformerSynced = mwcInformer.Informer().HasSynced
-
-	m.validateInformer = vwcInformer.Informer()
+	m.validateInformer = vwcInformer
 	m.validateLister = vwcInformer.Lister()
 	m.validateInformerSynced = vwcInformer.Informer().HasSynced

@ -234,14 +231,43 @@ func (m *webhookConfigManager) deletePolicy(obj interface{}) {
 	m.enqueue(p)
 }

-func (m *webhookConfigManager) deleteWebhook(obj interface{}) {
-	m.log.WithName("deleteWebhook").Info("resource webhook configuration was deleted, recreating...")
-	if webhook, ok := obj.(*unstructured.Unstructured); ok {
-		k := webhook.GetKind()
-		if (k == kindMutating && webhook.GetName() == config.MutatingWebhookConfigurationName) ||
-			(k == kindValidating && webhook.GetName() == config.ValidatingWebhookConfigurationName) {
-			m.enqueueAllPolicies()
+func (m *webhookConfigManager) deleteMutatingWebhook(obj interface{}) {
+	m.log.WithName("deleteMutatingWebhook").Info("resource webhook configuration was deleted, recreating...")
+	webhook, ok := obj.(*admregapi.MutatingWebhookConfiguration)
+	if !ok {
+		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
+		if !ok {
+			m.log.Info("Couldn't get object from tombstone", "obj", obj)
+			return
 		}
+		webhook, ok = tombstone.Obj.(*admregapi.MutatingWebhookConfiguration)
+		if !ok {
+			m.log.Info("tombstone contained object that is not a MutatingWebhookConfiguration", "obj", obj)
+			return
+		}
+	}
+	if webhook.GetName() == config.MutatingWebhookConfigurationName {
+		m.enqueueAllPolicies()
+	}
+}
+
+func (m *webhookConfigManager) deleteValidatingWebhook(obj interface{}) {
+	m.log.WithName("deleteMutatingWebhook").Info("resource webhook configuration was deleted, recreating...")
+	webhook, ok := obj.(*admregapi.ValidatingWebhookConfiguration)
+	if !ok {
+		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
+		if !ok {
+			m.log.Info("Couldn't get object from tombstone", "obj", obj)
+			return
+		}
+		webhook, ok = tombstone.Obj.(*admregapi.ValidatingWebhookConfiguration)
+		if !ok {
+			m.log.Info("tombstone contained object that is not a ValidatingWebhookConfiguration", "obj", obj)
+			return
+		}
+	}
+	if webhook.GetName() == config.ValidatingWebhookConfigurationName {
+		m.enqueueAllPolicies()
 	}
 }

@ -292,12 +318,12 @@ func (m *webhookConfigManager) start() {
 		DeleteFunc: m.deletePolicy,
 	})

-	m.mutateInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
-		DeleteFunc: m.deleteWebhook,
+	m.mutateInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+		DeleteFunc: m.deleteMutatingWebhook,
 	})

-	m.validateInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
-		DeleteFunc: m.deleteWebhook,
+	m.validateInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+		DeleteFunc: m.deleteValidatingWebhook,
 	})

 	for m.processNextWorkItem() {
--- a/pkg/webhookconfig/registration.go
+++ b/pkg/webhookconfig/registration.go
@ -22,7 +22,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	errorsapi "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@ -553,15 +552,15 @@ func (wrc *Register) constructVerifyMutatingWebhookConfig(caData []byte) *admreg
 		admregapi.Ignore,
 	)

-	genWebHook.ObjectSelector = &v1.LabelSelector{
+	genWebHook.ObjectSelector = &metav1.LabelSelector{
 		MatchLabels: map[string]string{
 			"app.kubernetes.io/name": "kyverno",
 		},
 	}
 	return &admregapi.MutatingWebhookConfiguration{
-		ObjectMeta: v1.ObjectMeta{
+		ObjectMeta: metav1.ObjectMeta{
 			Name: config.VerifyMutatingWebhookConfigurationName,
-			OwnerReferences: []v1.OwnerReference{
+			OwnerReferences: []metav1.OwnerReference{
 				wrc.constructOwner(),
 			},
 		},
@ -589,13 +588,13 @@ func (wrc *Register) constructDebugVerifyMutatingWebhookConfig(caData []byte) *a
 		[]admregapi.OperationType{admregapi.Update},
 		admregapi.Ignore,
 	)
-	genWebHook.ObjectSelector = &v1.LabelSelector{
+	genWebHook.ObjectSelector = &metav1.LabelSelector{
 		MatchLabels: map[string]string{
 			"app.kubernetes.io/name": "kyverno",
 		},
 	}
 	return &admregapi.MutatingWebhookConfiguration{
-		ObjectMeta: v1.ObjectMeta{
+		ObjectMeta: metav1.ObjectMeta{
 			Name: config.VerifyMutatingWebhookConfigurationDebugName,
 		},
 		Webhooks: []admregapi.MutatingWebhook{
@ -647,7 +646,7 @@ func (wrc *Register) GetWebhookTimeOut() time.Duration {

 // removeSecrets removes Kyverno managed secrets
 func (wrc *Register) removeSecrets() {
-	selector := &v1.LabelSelector{
+	selector := &metav1.LabelSelector{
 		MatchLabels: map[string]string{
 			tls.ManagedByLabel: "kyverno",
 		},
@ -679,7 +678,7 @@ func (wrc *Register) checkEndpoint() error {
 		return fmt.Errorf("failed to convert endpoint %s/%s from unstructured: %v", config.KyvernoNamespace, config.KyvernoServiceName, err)
 	}

-	pods, err := wrc.client.ListResource("", "Pod", config.KyvernoNamespace, &v1.LabelSelector{MatchLabels: map[string]string{"app.kubernetes.io/name": "kyverno"}})
+	pods, err := wrc.client.ListResource("", "Pod", config.KyvernoNamespace, &metav1.LabelSelector{MatchLabels: map[string]string{"app.kubernetes.io/name": "kyverno"}})
 	if err != nil {
 		return fmt.Errorf("failed to list Kyverno Pod: %v", err)
 	}
@ -735,7 +734,7 @@ func getHealthyPodsIP(pods []unstructured.Unstructured) (ips []string, errs []er
 	return
 }

-func convertLabelSelector(selector *v1.LabelSelector, logger logr.Logger) (map[string]interface{}, error) {
+func convertLabelSelector(selector *metav1.LabelSelector, logger logr.Logger) (map[string]interface{}, error) {
 	if selector == nil {
 		return nil, nil
 	}