From bc37d27de6ba83b4dee987c1cf24da6866c9b981 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sun, 17 May 2020 09:51:18 -0700 Subject: [PATCH 1/7] remove unnecessary comments and reduce cache resync intervals --- cmd/kyverno/main.go | 44 +++++++++++++++++------------------------- pkg/policy/existing.go | 35 ++++++++++++++++++++------------- 2 files changed, 40 insertions(+), 39 deletions(-) diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index 83046b6f7c..2413177ad2 100644 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -33,6 +33,8 @@ import ( log "sigs.k8s.io/controller-runtime/pkg/log" ) +const resyncPeriod = 15 * time.Minute + var ( kubeconfig string serverIP string @@ -61,15 +63,11 @@ func main() { // Generate CSR with CN as FQDN due to https://github.com/nirmata/kyverno/issues/542 flag.BoolVar(&fqdncn, "fqdn-as-cn", false, "use FQDN as Common Name in CSR") - flag.Parse() version.PrintVersionInfo(log.Log) - // cleanUp Channel cleanUp := make(chan struct{}) - // handle os signals stopCh := signal.SetupSignalHandler() - // CLIENT CONFIG clientConfig, err := config.CreateClientConfig(kubeconfig, log.Log) if err != nil { setupLog.Error(err, "Failed to build kubeconfig") @@ -88,39 +86,31 @@ func main() { // DYNAMIC CLIENT // - client for all registered resources - // - invalidate local cache of registered resource every 10 seconds - client, err := dclient.NewClient(clientConfig, 10*time.Second, stopCh, log.Log) + client, err := dclient.NewClient(clientConfig, 5*time.Minute, stopCh, log.Log) if err != nil { setupLog.Error(err, "Failed to create client") os.Exit(1) } + // CRD CHECK // - verify if the CRD for Policy & PolicyViolation are available if !utils.CRDInstalled(client.DiscoveryClient, log.Log) { setupLog.Error(fmt.Errorf("pre-requisite CRDs not installed"), "Failed to create watch on kyverno CRDs") os.Exit(1) } - // KUBERNETES CLIENT + kubeClient, err := utils.NewKubeClient(clientConfig) if err != nil { setupLog.Error(err, "Failed to create kubernetes client") os.Exit(1) } - // TODO(shuting): To be removed for v1.2.0 + // TODO: To be removed for v1.2.0 utils.CleanupOldCrd(client, log.Log) - // KUBERNETES RESOURCES INFORMER - // watches namespace resource - // - cache resync time: 10 seconds - kubeInformer := kubeinformers.NewSharedInformerFactoryWithOptions( - kubeClient, - 10*time.Second) - // KUBERNETES Dynamic informer - // - cahce resync time: 10 seconds - kubedynamicInformer := client.NewDynamicSharedInformerFactory(10 * time.Second) + kubeInformer := kubeinformers.NewSharedInformerFactoryWithOptions(kubeClient, resyncPeriod) + kubedynamicInformer := client.NewDynamicSharedInformerFactory(resyncPeriod) - // WERBHOOK REGISTRATION CLIENT webhookRegistrationClient := webhookconfig.NewWebhookRegistrationClient( clientConfig, client, @@ -143,10 +133,7 @@ func main() { // watches CRD resources: // - Policy // - PolicyVolation - // - cache resync time: 10 seconds - pInformer := kyvernoinformer.NewSharedInformerFactoryWithOptions( - pclient, - 10*time.Second) + pInformer := kyvernoinformer.NewSharedInformerFactoryWithOptions(pclient, resyncPeriod) // Configuration Data // dynamically load the configuration from configMap @@ -187,8 +174,7 @@ func main() { // POLICY CONTROLLER // - reconciliation policy and policy violation // - process policy on existing resources - // - status aggregator: receives stats when a policy is applied - // & updates the policy status + // - status aggregator: receives stats when a policy is applied & updates the policy status pc, err := policy.NewPolicyController(pclient, client, pInformer.Kyverno().V1().ClusterPolicies(), @@ -201,6 +187,7 @@ func main() { rWebhookWatcher, log.Log.WithName("PolicyController"), ) + if err != nil { setupLog.Error(err, "Failed to create policy controller") os.Exit(1) @@ -222,6 +209,7 @@ func main() { statusSync.Listener, log.Log.WithName("GenerateController"), ) + // GENERATE REQUEST CLEANUP // -- cleans up the generate requests that have not been processed(i.e. state = [Pending, Failed]) for more than defined timeout grcc := generatecleanup.NewController( @@ -257,7 +245,7 @@ func main() { } // Sync openAPI definitions of resources - openApiSync := openapi.NewCRDSync(client, openAPIController) + openAPISync := openapi.NewCRDSync(client, openAPIController) // WEBHOOOK // - https server to provide endpoints called based on rules defined in Mutating & Validation webhook configuration @@ -284,10 +272,12 @@ func main() { log.Log.WithName("WebhookServer"), openAPIController, ) + if err != nil { setupLog.Error(err, "Failed to create webhook server") os.Exit(1) } + // Start the components pInformer.Start(stopCh) kubeInformer.Start(stopCh) @@ -302,7 +292,7 @@ func main() { go grcc.Run(1, stopCh) go pvgen.Run(1, stopCh) go statusSync.Run(1, stopCh) - openApiSync.Run(1, stopCh) + openAPISync.Run(1, stopCh) // verifys if the admission control is enabled and active // resync: 60 seconds @@ -319,8 +309,10 @@ func main() { defer func() { cancel() }() + // cleanup webhookconfigurations followed by webhook shutdown server.Stop(ctx) + // resource cleanup // remove webhook configurations <-cleanUp diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go index af8dfc09c6..3af6c6f67e 100644 --- a/pkg/policy/existing.go +++ b/pkg/policy/existing.go @@ -53,26 +53,35 @@ func listResources(client *client.Client, policy kyverno.ClusterPolicy, configHa resourceMap := map[string]unstructured.Unstructured{} for _, rule := range policy.Spec.Rules { - // resources that match for _, k := range rule.MatchResources.Kinds { - var namespaces []string - if len(rule.MatchResources.Namespaces) > 0 { - namespaces = append(namespaces, rule.MatchResources.Namespaces...) - log.V(4).Info("namespaces included", "namespaces", rule.MatchResources.Namespaces) - } else { - log.V(4).Info("processing all namespaces", "rule", rule.Name) - // get all namespaces - namespaces = getAllNamespaces(client, log) + + resourceSchema, _, err := client.DiscoveryClient.FindResource(k) + if err != nil { + log.Error(err, "failed to find resource", "kind", k) + continue } - // get resources in the namespaces - for _, ns := range namespaces { - rMap := getResourcesPerNamespace(k, client, ns, rule, configHandler, log) + if !resourceSchema.Namespaced { + rMap := getResourcesPerNamespace(k, client, "", rule, configHandler, log) mergeresources(resourceMap, rMap) - } + } else { + var namespaces []string + if len(rule.MatchResources.Namespaces) > 0 { + log.V(4).Info("namespaces included", "namespaces", rule.MatchResources.Namespaces) + namespaces = append(namespaces, rule.MatchResources.Namespaces...) + } else { + log.V(4).Info("processing all namespaces", "rule", rule.Name) + namespaces = getAllNamespaces(client, log) + } + for _, ns := range namespaces { + rMap := getResourcesPerNamespace(k, client, ns, rule, configHandler, log) + mergeresources(resourceMap, rMap) + } + } } } + return resourceMap } From bf1aaba99b57320ef1411197ae33bcc7d943dee3 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sun, 17 May 2020 09:51:46 -0700 Subject: [PATCH 2/7] allow cross platform builds --- Makefile | 4 +++ pkg/policy/controller.go | 37 +++++++++++++++++---------- pkg/webhookconfig/rwebhookregister.go | 2 +- 3 files changed, 29 insertions(+), 14 deletions(-) diff --git a/Makefile b/Makefile index 824f8b92e4..1dcc807402 100644 --- a/Makefile +++ b/Makefile @@ -53,6 +53,10 @@ docker-push-initContainer: .PHONY: docker-build-kyverno docker-tag-repo-kyverno docker-push-kyverno KYVERNO_PATH := cmd/kyverno KYVERNO_IMAGE := kyverno + +local: + go build -ldflags=$(LD_FLAGS) $(PWD)/$(KYVERNO_PATH)/ + kyverno: GOOS=$(GOOS) go build -o $(PWD)/$(KYVERNO_PATH)/kyverno -ldflags=$(LD_FLAGS) $(PWD)/$(KYVERNO_PATH)/main.go diff --git a/pkg/policy/controller.go b/pkg/policy/controller.go index 2a471a37fe..a0d3934be3 100644 --- a/pkg/policy/controller.go +++ b/pkg/policy/controller.go @@ -206,6 +206,7 @@ func (pc *PolicyController) updatePolicy(old, cur interface{}) { return } } + logger.V(4).Info("updating policy", "name", oldP.Name) pc.enqueuePolicy(curP) } @@ -225,11 +226,13 @@ func (pc *PolicyController) deletePolicy(obj interface{}) { return } } + logger.V(4).Info("deleting policy", "name", p.Name) // Unregister from policy meta-store if err := pc.pMetaStore.UnRegister(*p); err != nil { logger.Error(err, "failed to unregister policy", "name", p.Name) } + // we process policies that are not set of background processing as we need to perform policy violation // cleanup when a policy is deleted. pc.enqueuePolicy(p) @@ -263,6 +266,7 @@ func (pc *PolicyController) Run(workers int, stopCh <-chan struct{}) { for i := 0; i < workers; i++ { go wait.Until(pc.worker, time.Second, stopCh) } + <-stopCh } @@ -315,49 +319,54 @@ func (pc *PolicyController) syncPolicy(key string) error { defer func() { logger.V(4).Info("finished syncing policy", "key", key, "processingTime", time.Since(startTime)) }() + policy, err := pc.pLister.Get(key) if errors.IsNotFound(err) { - logger.V(2).Info("policy deleted", "key", key) - // delete cluster policy violation - if err := pc.deleteClusterPolicyViolations(key); err != nil { - return err - } - // delete namespaced policy violation - if err := pc.deleteNamespacedPolicyViolations(key); err != nil { - return err - } + go pc.deletePolicyViolations(key) // remove webhook configurations if there are no policies if err := pc.removeResourceWebhookConfiguration(); err != nil { // do not fail, if unable to delete resource webhook config logger.Error(err, "failed to remove resource webhook configurations") } + return nil } + if err != nil { return err } pc.resourceWebhookWatcher.RegisterResourceWebhook() - // process policies on existing resources engineResponses := pc.processExistingResources(*policy) - // report errors pc.cleanupAndReport(engineResponses) return nil } +func (pc *PolicyController) deletePolicyViolations(key string) { + if err := pc.deleteClusterPolicyViolations(key); err != nil { + pc.log.Error(err, "failed to delete policy violation", "key", key) + } + + if err := pc.deleteNamespacedPolicyViolations(key); err != nil { + pc.log.Error(err, "failed to delete policy violation", "key", key) + } +} + func (pc *PolicyController) deleteClusterPolicyViolations(policy string) error { cpvList, err := pc.getClusterPolicyViolationForPolicy(policy) if err != nil { return err } + for _, cpv := range cpvList { if err := pc.pvControl.DeleteClusterPolicyViolation(cpv.Name); err != nil { - return err + pc.log.Error(err, "failed to delete policy violation", "name", cpv.Name) } } + return nil } @@ -366,11 +375,13 @@ func (pc *PolicyController) deleteNamespacedPolicyViolations(policy string) erro if err != nil { return err } + for _, nspv := range nspvList { if err := pc.pvControl.DeleteNamespacedPolicyViolation(nspv.Namespace, nspv.Name); err != nil { - return err + pc.log.Error(err, "failed to delete policy violation", "name", nspv.Name) } } + return nil } diff --git a/pkg/webhookconfig/rwebhookregister.go b/pkg/webhookconfig/rwebhookregister.go index a312e07277..06e2e51c57 100644 --- a/pkg/webhookconfig/rwebhookregister.go +++ b/pkg/webhookconfig/rwebhookregister.go @@ -121,7 +121,7 @@ func (rww *ResourceWebhookRegister) RemoveResourceWebhookConfiguration() error { if err != nil { return err } - logger.V(3).Info("emoved mutating resource webhook configuration") + logger.V(3).Info("removed mutating resource webhook configuration") } if rww.RunValidationInMutatingWebhook != "true" { From b463dbf6a8ce4664721f3dab7513b92628641909 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sun, 17 May 2020 09:54:13 -0700 Subject: [PATCH 3/7] - allow fetching resource from dynamic client - --- pkg/dclient/client.go | 68 +++++++++++++++++++++++++------------------ 1 file changed, 40 insertions(+), 28 deletions(-) diff --git a/pkg/dclient/client.go b/pkg/dclient/client.go index e660ad797a..a074b767c5 100644 --- a/pkg/dclient/client.go +++ b/pkg/dclient/client.go @@ -221,6 +221,7 @@ func convertToCSR(obj *unstructured.Unstructured) (*certificates.CertificateSign //IDiscovery provides interface to mange Kind and GVR mapping type IDiscovery interface { + FindResource(kind string) (*meta.APIResource, schema.GroupVersionResource, error) GetGVRFromKind(kind string) schema.GroupVersionResource GetServerVersion() (*version.Info, error) OpenAPISchema() (*openapi_v2.Document, error) @@ -257,56 +258,67 @@ func (c ServerPreferredResources) Poll(resync time.Duration, stopCh <-chan struc } } +// OpenAPISchema returns the API server OpenAPI schema document func (c ServerPreferredResources) OpenAPISchema() (*openapi_v2.Document, error) { return c.cachedClient.OpenAPISchema() } -//GetGVRFromKind get the Group Version Resource from kind -// if kind is not found in first attempt we invalidate the cache, -// the retry will then fetch the new registered resources and check again -// if not found after 2 attempts, we declare kind is not found -// kind is Case sensitive +// GetGVRFromKind get the Group Version Resource from kind func (c ServerPreferredResources) GetGVRFromKind(kind string) schema.GroupVersionResource { - var gvr schema.GroupVersionResource - var err error - gvr, err = loadServerResources(kind, c.cachedClient, c.log) - if err != nil && !c.cachedClient.Fresh() { - - // invalidate cahce & re-try once more - c.cachedClient.Invalidate() - gvr, err = loadServerResources(kind, c.cachedClient, c.log) - if err == nil { - return gvr - } + _, gvr, err := c.FindResource(kind) + if err != nil { + return schema.GroupVersionResource{} } + return gvr } -//GetServerVersion returns the server version of the cluster +// GetServerVersion returns the server version of the cluster func (c ServerPreferredResources) GetServerVersion() (*version.Info, error) { return c.cachedClient.ServerVersion() } -func loadServerResources(k string, cdi discovery.CachedDiscoveryInterface, log logr.Logger) (schema.GroupVersionResource, error) { - logger := log.WithName("loadServerResources") - emptyGVR := schema.GroupVersionResource{} - serverresources, err := cdi.ServerPreferredResources() - if err != nil { - logger.V(4).Info("failed to get registered preferred resources", "err", err.Error()) +// FindResource finds an API resource that matches 'kind'. If the resource is not +// found and the Cache is not fresh, the cache is invalidated and a retry is attempted +func (c ServerPreferredResources) FindResource(kind string) (*meta.APIResource, schema.GroupVersionResource, error) { + r, gvr, err := c.findResource(kind) + if err == nil { + return r, gvr, nil } + + if !c.cachedClient.Fresh() { + c.cachedClient.Invalidate() + if r, gvr, err = c.findResource(kind); err == nil { + return r, gvr, nil + } + } + + c.log.Error(err, "failed to find resource", "kind", kind) + return nil, schema.GroupVersionResource{}, err +} + +func (c ServerPreferredResources) findResource(k string) (*meta.APIResource, schema.GroupVersionResource, error) { + serverresources, err := c.cachedClient.ServerPreferredResources() + if err != nil { + c.log.Error(err, "failed to get registered preferred resources") + return nil, schema.GroupVersionResource{}, err + } + for _, serverresource := range serverresources { for _, resource := range serverresource.APIResources { - // skip the resource names with "/", to avoid comparison with subresources + // skip the resource names with "/", to avoid comparison with subresources if resource.Kind == k && !strings.Contains(resource.Name, "/") { gv, err := schema.ParseGroupVersion(serverresource.GroupVersion) if err != nil { - logger.Error(err, "failed to parse groupVersion from schema", "groupVersion", serverresource.GroupVersion) - return emptyGVR, err + c.log.Error(err, "failed to parse groupVersion", "groupVersion", serverresource.GroupVersion) + return nil, schema.GroupVersionResource{}, err } - return gv.WithResource(resource.Name), nil + + return &resource, gv.WithResource(resource.Name), nil } } } - return emptyGVR, fmt.Errorf("kind '%s' not found", k) + + return nil, schema.GroupVersionResource{}, fmt.Errorf("kind '%s' not found", k) } From 993bad7b65d663cc65f8803c59631f3a3b98a5ea Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sun, 17 May 2020 09:54:32 -0700 Subject: [PATCH 4/7] improve comments --- pkg/policy/apply.go | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/pkg/policy/apply.go b/pkg/policy/apply.go index ad60ad5d6d..6ec7666c70 100644 --- a/pkg/policy/apply.go +++ b/pkg/policy/apply.go @@ -21,10 +21,14 @@ import ( //TODO: generation rules func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, logger logr.Logger) (responses []response.EngineResponse) { startTime := time.Now() - - logger.Info("start applying policy", "startTime", startTime) defer func() { - logger.Info("finisnhed applying policy", "processingTime", time.Since(startTime)) + name := resource.GetKind() + "/" + resource.GetName() + ns := resource.GetNamespace() + if ns != "" { + name = ns + "/" + name + } + + logger.V(3).Info("applyPolicy", "resource", name, "processingTime", time.Since(startTime)) }() var engineResponses []response.EngineResponse From 304c75403e2231aa9f0ff8c645b1e99fa0cceb59 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sun, 17 May 2020 14:37:05 -0700 Subject: [PATCH 5/7] - skip resource schema validation when no mutate rules are applied - cleanup webhook registration logic and logs --- go.mod | 1 + go.sum | 9 +++ pkg/checker/checker.go | 28 ++++--- pkg/checker/status.go | 41 ++++++---- pkg/dclient/client.go | 2 +- pkg/webhookconfig/checker.go | 18 +++-- pkg/webhookconfig/registration.go | 48 +++++++----- pkg/webhookconfig/resource.go | 23 ++++-- pkg/webhookconfig/rwebhookregister.go | 104 ++++++++++++++------------ pkg/webhooks/mutation.go | 27 +++++-- pkg/webhooks/policymutation.go | 16 ++-- pkg/webhooks/server.go | 48 ++++++------ pkg/webhooks/validation.go | 17 ++++- 13 files changed, 237 insertions(+), 145 deletions(-) diff --git a/go.mod b/go.mod index f8dcbdf549..5ea14164c1 100644 --- a/go.mod +++ b/go.mod @@ -14,6 +14,7 @@ require ( github.com/json-iterator/go v1.1.9 // indirect github.com/julienschmidt/httprouter v1.3.0 github.com/minio/minio v0.0.0-20200114012931-30922148fbb5 + github.com/rogpeppe/godef v1.1.2 // indirect github.com/spf13/cobra v0.0.5 github.com/tevino/abool v0.0.0-20170917061928-9b9efcf221b5 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 // indirect diff --git a/go.sum b/go.sum index a8e3e37eb8..fd8613ac08 100644 --- a/go.sum +++ b/go.sum @@ -1,3 +1,5 @@ +9fans.net/go v0.0.0-20181112161441-237454027057 h1:OcHlKWkAMJEF1ndWLGxp5dnJQkYM/YImUOvsBoz6h5E= +9fans.net/go v0.0.0-20181112161441-237454027057/go.mod h1:diCsxrliIURU9xsYtjCp5AbpQKqdhKmf0ujWDUSkfoY= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= @@ -732,6 +734,8 @@ github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6So github.com/rogpeppe/go-internal v1.0.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rogpeppe/godef v1.1.2 h1:c5mCx0EcCORJOdVMREX7Lgh1raTxAHFmOfXdEB9u8Jw= +github.com/rogpeppe/godef v1.1.2/go.mod h1:WtY9A/ovuQ+UakAJ1/CEqwwulX/WJjb2kgkokCHi/GY= github.com/rs/cors v1.6.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= github.com/rubenv/sql-migrate v0.0.0-20190212093014-1007f53448d7/go.mod h1:WS0rl9eEliYI8DPnr3TOwz4439pay+qNgzJoVya/DmY= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= @@ -872,6 +876,7 @@ golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191117063200-497ca9f6d64f/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200109152110-61a87790db17 h1:nVJ3guKA9qdkEQ3TUdXI9QSINo2CUPM/cySEvw2w8I0= golang.org/x/crypto v0.0.0-20200109152110-61a87790db17/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -886,6 +891,7 @@ golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTk golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180816102801-aaf60122140d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1036,7 +1042,10 @@ golang.org/x/tools v0.0.0-20190624190245-7f2218787638/go.mod h1:/rFqwRUd4F7ZHNgw golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190711191110-9a621aea19f8/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200226224502-204d844ad48d h1:loGv/4fxITSrCD4t2P8ZF4oUC4RlRFDAsczcoUS2g6c= +golang.org/x/tools v0.0.0-20200226224502-204d844ad48d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.0.1/go.mod h1:IhYNNY4jnS53ZnfE4PAmpKtDpTCj1JFXc+3mwe7XcUU= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.5.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= diff --git a/pkg/checker/checker.go b/pkg/checker/checker.go index 16b8276d40..b0a3016b31 100644 --- a/pkg/checker/checker.go +++ b/pkg/checker/checker.go @@ -1,6 +1,7 @@ package checker import ( + "fmt" "sync" "time" @@ -32,10 +33,11 @@ func (t *LastReqTime) Time() time.Time { return t.t } -//SetTime stes the lastrequest time +//SetTime updates the lastrequest time func (t *LastReqTime) SetTime(tm time.Time) { t.mu.Lock() defer t.mu.Unlock() + t.t = tm } @@ -52,6 +54,7 @@ func checkIfPolicyWithMutateAndGenerateExists(pLister kyvernolister.ClusterPolic if err != nil { log.Error(err, "failed to list cluster policies") } + for _, policy := range policies { if policy.HasMutateOrValidateOrGenerate() { // as there exists one policy with mutate or validate rule @@ -59,13 +62,14 @@ func checkIfPolicyWithMutateAndGenerateExists(pLister kyvernolister.ClusterPolic return true } } + return false } //Run runs the checker and verify the resource update func (t *LastReqTime) Run(pLister kyvernolister.ClusterPolicyLister, eventGen event.Interface, client *dclient.Client, defaultResync time.Duration, deadline time.Duration, stopCh <-chan struct{}) { logger := t.log - logger.V(2).Info("tarting default resync for webhook checker", "resyncTime", defaultResync) + logger.V(4).Info("starting default resync for webhook checker", "resyncTime", defaultResync) maxDeadline := deadline * time.Duration(MaxRetryCount) ticker := time.NewTicker(defaultResync) /// interface to update and increment kyverno webhook status via annotations @@ -85,35 +89,37 @@ func (t *LastReqTime) Run(pLister kyvernolister.ClusterPolicyLister, eventGen ev for { select { case <-ticker.C: - // if there are no policies then we dont have a webhook on resource. - // we indirectly check if the resource if !checkIfPolicyWithMutateAndGenerateExists(pLister, logger) { continue } - // get current time + timeDiff := time.Since(t.Time()) if timeDiff > maxDeadline { - logger.Info("request exceeded max deadline", "deadline", maxDeadline) - logger.Info("Admission Control failing: Webhook is not receiving requests forwarded by api-server as per webhook configurations") - // set the status unavailable + err := fmt.Errorf("Admission control configuration error") + logger.Error(err, "webhook check failed", "deadline", maxDeadline) if err := statuscontrol.FailedStatus(); err != nil { - logger.Error(err, "failed to set 'failed' status") + logger.Error(err, "error setting webhook check status to failed") } + continue } + if timeDiff > deadline { - logger.Info("Admission Control failing: Webhook is not receiving requests forwarded by api-server as per webhook configurations") + logger.V(3).Info("webhook check deadline exceeded", "deadline", deadline) // send request to update the kyverno deployment if err := statuscontrol.IncrementAnnotation(); err != nil { logger.Error(err, "failed to increment annotation") } + continue } + // if the status was false before then we update it to true // send request to update the kyverno deployment if err := statuscontrol.SuccessStatus(); err != nil { - logger.Error(err, "failed to update success status") + logger.Error(err, "error setting webhook check status to success") } + case <-stopCh: // handler termination signal logger.V(2).Info("stopping default resync for webhook checker") diff --git a/pkg/checker/status.go b/pkg/checker/status.go index 110abf8eef..2c466e1c95 100644 --- a/pkg/checker/status.go +++ b/pkg/checker/status.go @@ -13,7 +13,7 @@ const deployName string = "kyverno" const deployNamespace string = "kyverno" const annCounter string = "kyverno.io/generationCounter" -const annWebhookStats string = "kyverno.io/webhookActive" +const annWebhookStatus string = "kyverno.io/webhookActive" //StatusInterface provides api to update webhook active annotations on kyverno deployments type StatusInterface interface { @@ -52,37 +52,42 @@ func NewVerifyControl(client *dclient.Client, eventGen event.Interface, log logr } func (vc StatusControl) setStatus(status string) error { - logger := vc.log - logger.Info(fmt.Sprintf("setting deployment %s in ns %s annotation %s to %s", deployName, deployNamespace, annWebhookStats, status)) + logger := vc.log.WithValues("name", deployName, "namespace", deployNamespace) var ann map[string]string var err error deploy, err := vc.client.GetResource("Deployment", deployNamespace, deployName) if err != nil { - logger.Error(err, "failed to get deployment resource") + logger.Error(err, "failed to get deployment") return err } + ann = deploy.GetAnnotations() if ann == nil { ann = map[string]string{} - ann[annWebhookStats] = status + ann[annWebhookStatus] = status } - webhookAction, ok := ann[annWebhookStats] + + deployStatus, ok := ann[annWebhookStatus] if ok { // annotatiaion is present - if webhookAction == status { - logger.V(4).Info(fmt.Sprintf("annotation %s already set to '%s'", annWebhookStats, status)) + if deployStatus == status { + logger.V(4).Info(fmt.Sprintf("annotation %s already set to '%s'", annWebhookStatus, status)) return nil } } + // set the status - ann[annWebhookStats] = status + logger.Info("updating deployment annotation", "key", annWebhookStatus, "val", status) + ann[annWebhookStatus] = status deploy.SetAnnotations(ann) + // update counter _, err = vc.client.UpdateResource("Deployment", deployNamespace, deploy, false) if err != nil { - logger.Error(err, fmt.Sprintf("failed to update annotation %s for deployment %s in namespace %s", annWebhookStats, deployName, deployNamespace)) + logger.Error(err, "failed to update deployment annotation", "key", annWebhookStatus, "val", status) return err } + // create event on kyverno deployment createStatusUpdateEvent(status, vc.eventGen) return nil @@ -101,34 +106,42 @@ func createStatusUpdateEvent(status string, eventGen event.Interface) { //IncrementAnnotation ... func (vc StatusControl) IncrementAnnotation() error { logger := vc.log - logger.Info(fmt.Sprintf("setting deployment %s in ns %s annotation %s", deployName, deployNamespace, annCounter)) var ann map[string]string var err error deploy, err := vc.client.GetResource("Deployment", deployNamespace, deployName) if err != nil { - logger.Error(err, "failed to get deployment %s in namespace %s", deployName, deployNamespace) + logger.Error(err, "failed to find deployment %s in namespace %s", deployName, deployNamespace) return err } + ann = deploy.GetAnnotations() if ann == nil { ann = map[string]string{} + } + + if ann[annCounter] == "" { ann[annCounter] = "0" } + counter, err := strconv.Atoi(ann[annCounter]) if err != nil { - logger.Error(err, "Failed to parse string") + logger.Error(err, "Failed to parse string", "name", annCounter, "value", ann[annCounter]) return err } + // increment counter counter++ ann[annCounter] = strconv.Itoa(counter) - logger.Info("incrementing annotation", "old", annCounter, "new", counter) + + logger.V(3).Info("updating webhook test annotation", "key", annCounter, "value", counter, "deployment", deployName, "namespace", deployNamespace) deploy.SetAnnotations(ann) + // update counter _, err = vc.client.UpdateResource("Deployment", deployNamespace, deploy, false) if err != nil { logger.Error(err, fmt.Sprintf("failed to update annotation %s for deployment %s in namespace %s", annCounter, deployName, deployNamespace)) return err } + return nil } diff --git a/pkg/dclient/client.go b/pkg/dclient/client.go index a074b767c5..7c27f01b2a 100644 --- a/pkg/dclient/client.go +++ b/pkg/dclient/client.go @@ -267,6 +267,7 @@ func (c ServerPreferredResources) OpenAPISchema() (*openapi_v2.Document, error) func (c ServerPreferredResources) GetGVRFromKind(kind string) schema.GroupVersionResource { _, gvr, err := c.FindResource(kind) if err != nil { + c.log.Info("schema not found", "kind", kind) return schema.GroupVersionResource{} } @@ -293,7 +294,6 @@ func (c ServerPreferredResources) FindResource(kind string) (*meta.APIResource, } } - c.log.Error(err, "failed to find resource", "kind", kind) return nil, schema.GroupVersionResource{}, err } diff --git a/pkg/webhookconfig/checker.go b/pkg/webhookconfig/checker.go index db1e765629..50a8c100f2 100644 --- a/pkg/webhookconfig/checker.go +++ b/pkg/webhookconfig/checker.go @@ -60,7 +60,7 @@ func (wrc *WebhookRegistrationClient) constructDebugVerifyMutatingWebhookConfig( func (wrc *WebhookRegistrationClient) removeVerifyWebhookMutatingWebhookConfig(wg *sync.WaitGroup) { defer wg.Done() - // Mutating webhook configuration + var err error var mutatingConfig string if wrc.serverIP != "" { @@ -68,14 +68,18 @@ func (wrc *WebhookRegistrationClient) removeVerifyWebhookMutatingWebhookConfig(w } else { mutatingConfig = config.VerifyMutatingWebhookConfigurationName } + logger := wrc.log.WithValues("name", mutatingConfig) - logger.V(4).Info("removing webhook configuration") err = wrc.client.DeleteResource(MutatingWebhookConfigurationKind, "", mutatingConfig, false) if errorsapi.IsNotFound(err) { - logger.Error(err, "verify webhook configuration, does not exits. not deleting") - } else if err != nil { - logger.Error(err, "failed to delete verify wwebhook configuration") - } else { - logger.V(4).Info("successfully deleted verify webhook configuration") + logger.V(5).Info("verify webhook configuration not found") + return } + + if err != nil { + logger.Error(err, "failed to delete verify wwebhook configuration") + return + } + + logger.V(4).Info("successfully deleted verify webhook configuration") } diff --git a/pkg/webhookconfig/registration.go b/pkg/webhookconfig/registration.go index 8124ad39d4..32bd6a9dd0 100644 --- a/pkg/webhookconfig/registration.go +++ b/pkg/webhookconfig/registration.go @@ -51,7 +51,7 @@ func NewWebhookRegistrationClient( func (wrc *WebhookRegistrationClient) Register() error { logger := wrc.log.WithName("Register") if wrc.serverIP != "" { - logger.Info("Registering webhook", "url", fmt.Sprintf("https://%s", wrc.serverIP)) + logger.V(4).Info("Registering webhook", "url", fmt.Sprintf("https://%s", wrc.serverIP)) } // For the case if cluster already has this configs @@ -249,20 +249,23 @@ func (wrc *WebhookRegistrationClient) createVerifyMutatingWebhookConfiguration() // Register will fail if the config exists, so there is no need to fail on error func (wrc *WebhookRegistrationClient) removeWebhookConfigurations() { startTime := time.Now() - wrc.log.Info("Started cleaning up webhookconfigurations") + wrc.log.Info("removing prior webhook configurations") defer func() { - wrc.log.V(4).Info("Finished cleaning up webhookcongfigurations", "processingTime", time.Since(startTime)) + wrc.log.V(4).Info("removed webhookcongfigurations", "processingTime", time.Since(startTime)) }() var wg sync.WaitGroup wg.Add(5) + // mutating and validating webhook configuration for Kubernetes resources go wrc.removeResourceMutatingWebhookConfiguration(&wg) go wrc.removeResourceValidatingWebhookConfiguration(&wg) + // mutating and validating webhook configurtion for Policy CRD resource go wrc.removePolicyMutatingWebhookConfiguration(&wg) go wrc.removePolicyValidatingWebhookConfiguration(&wg) + // mutating webhook configuration for verifying webhook go wrc.removeVerifyWebhookMutatingWebhookConfig(&wg) @@ -285,48 +288,53 @@ func (wrc *WebhookRegistrationClient) removeResourceValidatingWebhookConfigurati } } -// delete policy mutating webhookconfigurations -// handle wait group func (wrc *WebhookRegistrationClient) removePolicyMutatingWebhookConfiguration(wg *sync.WaitGroup) { defer wg.Done() - // Mutating webhook configuration + var mutatingConfig string if wrc.serverIP != "" { mutatingConfig = config.PolicyMutatingWebhookConfigurationDebugName } else { mutatingConfig = config.PolicyMutatingWebhookConfigurationName } + logger := wrc.log.WithValues("name", mutatingConfig) - logger.V(4).Info("removing mutating webhook configuration") err := wrc.client.DeleteResource(MutatingWebhookConfigurationKind, "", mutatingConfig, false) if errorsapi.IsNotFound(err) { - logger.Error(err, "policy mutating webhook configuration does not exist, not deleting") - } else if err != nil { - logger.Error(err, "failed to delete policy mutating webhook configuration") - } else { - logger.V(4).Info("successfully deleted policy mutating webhook configutation") + logger.V(5).Info("policy mutating webhook configuration not found") + return } + + if err != nil { + logger.Error(err, "failed to delete policy mutating webhook configuration") + return + } + + logger.V(4).Info("successfully deleted policy mutating webhook configutation") } -// delete policy validating webhookconfigurations -// handle wait group func (wrc *WebhookRegistrationClient) removePolicyValidatingWebhookConfiguration(wg *sync.WaitGroup) { defer wg.Done() - // Validating webhook configuration + var validatingConfig string if wrc.serverIP != "" { validatingConfig = config.PolicyValidatingWebhookConfigurationDebugName } else { validatingConfig = config.PolicyValidatingWebhookConfigurationName } + logger := wrc.log.WithValues("name", validatingConfig) logger.V(4).Info("removing validating webhook configuration") err := wrc.client.DeleteResource(ValidatingWebhookConfigurationKind, "", validatingConfig, false) if errorsapi.IsNotFound(err) { - logger.Error(err, "policy validating webhook configuration does not exist, not deleting") - } else if err != nil { - logger.Error(err, "failed to delete policy validating webhook configuration") - } else { - logger.V(4).Info("successfully deleted policy validating webhook configutation") + logger.V(5).Info("policy validating webhook configuration not found") + return } + + if err != nil { + logger.Error(err, "failed to delete policy validating webhook configuration") + return + } + + logger.V(4).Info("successfully deleted policy validating webhook configutation") } diff --git a/pkg/webhookconfig/resource.go b/pkg/webhookconfig/resource.go index 050517da0a..82170d3604 100644 --- a/pkg/webhookconfig/resource.go +++ b/pkg/webhookconfig/resource.go @@ -12,7 +12,7 @@ import ( func (wrc *WebhookRegistrationClient) constructDebugMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration { logger := wrc.log url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.MutatingWebhookServicePath) - logger.V(4).Info("Debug MutatingWebhookConfig registed", "url", url) + logger.V(4).Info("Debug MutatingWebhookConfig registered", "url", url) return &admregapi.MutatingWebhookConfiguration{ ObjectMeta: v1.ObjectMeta{ Name: config.MutatingWebhookConfigurationDebugName, @@ -57,7 +57,7 @@ func (wrc *WebhookRegistrationClient) constructMutatingWebhookConfig(caData []by } } -//GetResourceMutatingWebhookConfigName provi +//GetResourceMutatingWebhookConfigName returns the webhook configuration name func (wrc *WebhookRegistrationClient) GetResourceMutatingWebhookConfigName() string { if wrc.serverIP != "" { return config.MutatingWebhookConfigurationDebugName @@ -72,14 +72,16 @@ func (wrc *WebhookRegistrationClient) RemoveResourceMutatingWebhookConfiguration // delete webhook configuration err := wrc.client.DeleteResource(MutatingWebhookConfigurationKind, "", configName, false) if errors.IsNotFound(err) { - logger.Error(err, "resource does not exit") + logger.V(5).Info("webhook configuration not found") return nil } + if err != nil { - logger.V(4).Info("failed to delete resource") + logger.V(4).Info("failed to delete webhook configuration") return err } - logger.V(4).Info("deleted resource") + + logger.V(4).Info("deleted webhook configuration") return nil } @@ -130,25 +132,30 @@ func (wrc *WebhookRegistrationClient) constructValidatingWebhookConfig(caData [] } } +// GetResourceValidatingWebhookConfigName returns the webhook configuration name func (wrc *WebhookRegistrationClient) GetResourceValidatingWebhookConfigName() string { if wrc.serverIP != "" { return config.ValidatingWebhookConfigurationDebugName } + return config.ValidatingWebhookConfigurationName } +// RemoveResourceValidatingWebhookConfiguration deletes an existing webhook configuration func (wrc *WebhookRegistrationClient) RemoveResourceValidatingWebhookConfiguration() error { configName := wrc.GetResourceValidatingWebhookConfigName() logger := wrc.log.WithValues("kind", ValidatingWebhookConfigurationKind, "name", configName) err := wrc.client.DeleteResource(ValidatingWebhookConfigurationKind, "", configName, false) if errors.IsNotFound(err) { - logger.Error(err, "resource does not exist; deleted already") + logger.V(5).Info("webhook configuration not found") return nil } + if err != nil { - logger.Error(err, "failed to delete the resource") + logger.Error(err, "failed to delete the webhook configuration") return err } - logger.Info("resource deleted") + + logger.Info("webhook configuration deleted") return nil } diff --git a/pkg/webhookconfig/rwebhookregister.go b/pkg/webhookconfig/rwebhookregister.go index 06e2e51c57..38a3fbfb7a 100644 --- a/pkg/webhookconfig/rwebhookregister.go +++ b/pkg/webhookconfig/rwebhookregister.go @@ -14,11 +14,11 @@ import ( //ResourceWebhookRegister manages the resource webhook registration type ResourceWebhookRegister struct { // pendingCreation indicates the status of resource webhook creation - pendingCreation *abool.AtomicBool - LastReqTime *checker.LastReqTime - mwebhookconfigSynced cache.InformerSynced - vwebhookconfigSynced cache.InformerSynced - // list/get mutatingwebhookconfigurations + pendingMutateWebhookCreation *abool.AtomicBool + pendingValidateWebhookCreation *abool.AtomicBool + LastReqTime *checker.LastReqTime + mwebhookconfigSynced cache.InformerSynced + vwebhookconfigSynced cache.InformerSynced mWebhookConfigLister mconfiglister.MutatingWebhookConfigurationLister vWebhookConfigLister mconfiglister.ValidatingWebhookConfigurationLister webhookRegistrationClient *WebhookRegistrationClient @@ -36,7 +36,8 @@ func NewResourceWebhookRegister( log logr.Logger, ) *ResourceWebhookRegister { return &ResourceWebhookRegister{ - pendingCreation: abool.New(), + pendingMutateWebhookCreation: abool.New(), + pendingValidateWebhookCreation: abool.New(), LastReqTime: lastReqTime, mwebhookconfigSynced: mconfigwebhookinformer.Informer().HasSynced, mWebhookConfigLister: mconfigwebhookinformer.Lister(), @@ -50,51 +51,60 @@ func NewResourceWebhookRegister( //RegisterResourceWebhook registers a resource webhook func (rww *ResourceWebhookRegister) RegisterResourceWebhook() { - logger := rww.log - // drop the request if creation is in processing - if rww.pendingCreation.IsSet() { - logger.V(3).Info("resource webhook configuration is in pending creation, skip the request") + timeDiff := time.Since(rww.LastReqTime.Time()) + if timeDiff < checker.DefaultDeadline { + if !rww.pendingMutateWebhookCreation.IsSet() { + go rww.createMutatingWebhook() + } + + if !rww.pendingValidateWebhookCreation.IsSet() { + go rww.createValidateWebhook() + } + } +} + +func (rww *ResourceWebhookRegister) createMutatingWebhook() { + rww.pendingMutateWebhookCreation.Set() + defer rww.pendingMutateWebhookCreation.UnSet() + + mutatingConfigName := rww.webhookRegistrationClient.GetResourceMutatingWebhookConfigName() + mutatingConfig, _ := rww.mWebhookConfigLister.Get(mutatingConfigName) + if mutatingConfig != nil { + rww.log.V(5).Info("mutating webhoook configuration exists", "name", mutatingConfigName) + } else { + err := rww.webhookRegistrationClient.CreateResourceMutatingWebhookConfiguration() + if err != nil { + rww.log.Error(err, "failed to create resource mutating webhook configuration, re-queue creation request") + rww.RegisterResourceWebhook() + return + } + + rww.log.V(2).Info("created mutating webhook", "name", mutatingConfigName) + } +} + +func (rww *ResourceWebhookRegister) createValidateWebhook() { + rww.pendingValidateWebhookCreation.Set() + defer rww.pendingValidateWebhookCreation.UnSet() + + if rww.RunValidationInMutatingWebhook == "true" { + rww.log.V(2).Info("validation is configured to run during mutate webhook") return } - timeDiff := time.Since(rww.LastReqTime.Time()) - if timeDiff < checker.DefaultDeadline { - logger.V(3).Info("verified webhook status, creating webhook configuration") - go func() { - mutatingConfigName := rww.webhookRegistrationClient.GetResourceMutatingWebhookConfigName() - mutatingConfig, _ := rww.mWebhookConfigLister.Get(mutatingConfigName) - if mutatingConfig != nil { - logger.V(4).Info("mutating webhoook configuration already exists") - } else { - rww.pendingCreation.Set() - err1 := rww.webhookRegistrationClient.CreateResourceMutatingWebhookConfiguration() - rww.pendingCreation.UnSet() - if err1 != nil { - logger.Error(err1, "failed to create resource mutating webhook configuration, re-queue creation request") - rww.RegisterResourceWebhook() - return - } - logger.V(3).Info("successfully created mutating webhook configuration for resources") - } + validatingConfigName := rww.webhookRegistrationClient.GetResourceValidatingWebhookConfigName() + validatingConfig, _ := rww.vWebhookConfigLister.Get(validatingConfigName) + if validatingConfig != nil { + rww.log.V(4).Info("validating webhoook configuration exists", "name", validatingConfigName) + } else { + err := rww.webhookRegistrationClient.CreateResourceValidatingWebhookConfiguration() + if err != nil { + rww.log.Error(err, "failed to create resource validating webhook configuration; re-queue creation request") + rww.RegisterResourceWebhook() + return + } - if rww.RunValidationInMutatingWebhook != "true" { - validatingConfigName := rww.webhookRegistrationClient.GetResourceValidatingWebhookConfigName() - validatingConfig, _ := rww.vWebhookConfigLister.Get(validatingConfigName) - if validatingConfig != nil { - logger.V(4).Info("validating webhoook configuration already exists") - } else { - rww.pendingCreation.Set() - err2 := rww.webhookRegistrationClient.CreateResourceValidatingWebhookConfiguration() - rww.pendingCreation.UnSet() - if err2 != nil { - logger.Error(err2, "failed to create resource validating webhook configuration; re-queue creation request") - rww.RegisterResourceWebhook() - return - } - logger.V(3).Info("successfully created validating webhook configuration for resources") - } - } - }() + rww.log.V(2).Info("created validating webhook", "name", validatingConfigName) } } diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go index 0afdefa90a..0c057d81b6 100644 --- a/pkg/webhooks/mutation.go +++ b/pkg/webhooks/mutation.go @@ -18,9 +18,17 @@ import ( // HandleMutation handles mutating webhook admission request // return value: generated patches -func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resource unstructured.Unstructured, policies []kyverno.ClusterPolicy, roles, clusterRoles []string) []byte { - logger := ws.log.WithValues("action", "mutation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation) - logger.V(4).Info("incoming request") +func (ws *WebhookServer) HandleMutation( + request *v1beta1.AdmissionRequest, + resource unstructured.Unstructured, + policies []kyverno.ClusterPolicy, roles, clusterRoles []string) []byte { + + resourceName := request.Kind.Kind + "/" + request.Name + if request.Namespace != "" { + resourceName = request.Namespace + "/" + resourceName + } + + logger := ws.log.WithValues("action", "mutate", "resource", resourceName, "operation", request.Operation) var patches [][]byte var engineResponses []response.EngineResponse @@ -55,21 +63,27 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou } for _, policy := range policies { - logger.V(2).Info("evaluating policy", "policy", policy.Name) + logger.V(3).Info("evaluating policy", "policy", policy.Name) policyContext.Policy = policy engineResponse := engine.Mutate(policyContext) + if engineResponse.PolicyResponse.RulesAppliedCount <= 0 { + continue + } + engineResponses = append(engineResponses, engineResponse) ws.statusListener.Send(mutateStats{resp: engineResponse}) if !engineResponse.IsSuccesful() { - logger.V(4).Info("failed to apply policy", "policy", policy.Name) + logger.Info("failed to apply policy", "policy", policy.Name) continue } + err := ws.openAPIController.ValidateResource(*engineResponse.PatchedResource.DeepCopy(), engineResponse.PatchedResource.GetKind()) if err != nil { - logger.Error(err, "failed to validate resource") + logger.Error(err, "validation error", "policy", policy.Name) continue } + // gather patches patches = append(patches, engineResponse.GetPatches()...) logger.Info("mutation rules from policy applied succesfully", "policy", policy.Name) @@ -86,6 +100,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou // generate violation when response fails pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses, logger) ws.pvGenerator.Add(pvInfos...) + // REPORTING EVENTS // Scenario 1: // some/all policies failed to apply on the resource. a policy volation is generated. diff --git a/pkg/webhooks/policymutation.go b/pkg/webhooks/policymutation.go index dea2f87fff..ef69173329 100644 --- a/pkg/webhooks/policymutation.go +++ b/pkg/webhooks/policymutation.go @@ -81,7 +81,7 @@ func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy, log logr.Logg } func defaultBackgroundFlag(policy *kyverno.ClusterPolicy, log logr.Logger) ([]byte, string) { - // default 'Background' flag to 'true' if not specified + // set 'Background' flag to 'true' if not specified defaultVal := true if policy.Spec.Background == nil { log.V(4).Info("setting default value", "spec.background", true) @@ -94,19 +94,22 @@ func defaultBackgroundFlag(policy *kyverno.ClusterPolicy, log logr.Logger) ([]by "add", &defaultVal, } + patchByte, err := json.Marshal(jsonPatch) if err != nil { log.Error(err, "failed to set default value", "spec.background", true) return nil, "" } - log.Info("generated JSON Patch to set default", "spec.background", true) + + log.V(3).Info("generated JSON Patch to set default", "spec.background", true) return patchByte, fmt.Sprintf("default 'Background' to '%s'", strconv.FormatBool(true)) } + return nil, "" } func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy, log logr.Logger) ([]byte, string) { - // default ValidationFailureAction to "audit" if not specified + // set ValidationFailureAction to "audit" if not specified if policy.Spec.ValidationFailureAction == "" { log.V(4).Info("setting defautl value", "spec.validationFailureAction", Audit) jsonPatch := struct { @@ -116,16 +119,19 @@ func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy, log logr.Logg }{ "/spec/validationFailureAction", "add", - Audit, //audit + Audit, } + patchByte, err := json.Marshal(jsonPatch) if err != nil { log.Error(err, "failed to default value", "spec.validationFailureAction", Audit) return nil, "" } - log.Info("generated JSON Patch to set default", "spec.validationFailureAction", Audit) + + log.V(3).Info("generated JSON Patch to set default", "spec.validationFailureAction", Audit) return patchByte, fmt.Sprintf("default 'ValidationFailureAction' to '%s'", Audit) } + return nil, "" } diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index f1517ef66f..ea4963a963 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -37,7 +37,6 @@ import ( ) // WebhookServer contains configured TLS server with MutationWebhook. -// MutationWebhook gets policies from policyController and takes control of the cluster with kubeclient. type WebhookServer struct { server http.Server client *client.Client @@ -150,15 +149,16 @@ func NewWebhookServer( } func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse, filter bool) http.HandlerFunc { - return func(w http.ResponseWriter, r *http.Request) { + return func(rw http.ResponseWriter, r *http.Request) { startTime := time.Now() - // for every request received on the ep update last request time, - // this is used to verify admission control - ws.lastReqTime.SetTime(time.Now()) - admissionReview := ws.bodyToAdmissionReview(r, w) + ws.lastReqTime.SetTime(startTime) + + admissionReview := ws.bodyToAdmissionReview(r, rw) if admissionReview == nil { + ws.log.Info("failed to parse admission review request", "request", r) return } + logger := ws.log.WithValues("kind", admissionReview.Request.Kind, "namespace", admissionReview.Request.Namespace, "name", admissionReview.Request.Name) defer func() { logger.V(4).Info("request processed", "processingTime", time.Since(startTime)) @@ -166,29 +166,32 @@ func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequ admissionReview.Response = &v1beta1.AdmissionResponse{ Allowed: true, + UID: admissionReview.Request.UID, } // Do not process the admission requests for kinds that are in filterKinds for filtering request := admissionReview.Request - if filter { - if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) { - admissionReview.Response = handler(request) - } - } else { - admissionReview.Response = handler(request) - } - admissionReview.Response.UID = request.UID - - responseJSON, err := json.Marshal(admissionReview) - if err != nil { - http.Error(w, fmt.Sprintf("Could not encode response: %v", err), http.StatusInternalServerError) + if filter && ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) { + writeResponse(rw, admissionReview) return } - w.Header().Set("Content-Type", "application/json; charset=utf-8") - if _, err := w.Write(responseJSON); err != nil { - http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError) - } + admissionReview.Response = handler(request) + writeResponse(rw, admissionReview) + return + } +} + +func writeResponse(rw http.ResponseWriter, admissionReview *v1beta1.AdmissionReview) { + responseJSON, err := json.Marshal(admissionReview) + if err != nil { + http.Error(rw, fmt.Sprintf("Could not encode response: %v", err), http.StatusInternalServerError) + return + } + + rw.Header().Set("Content-Type", "application/json; charset=utf-8") + if _, err := rw.Write(responseJSON); err != nil { + http.Error(rw, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError) } } @@ -342,6 +345,7 @@ func (ws *WebhookServer) RunAsync(stopCh <-chan struct{}) { } }(ws) logger.Info("starting") + // verifys if the admission control is enabled and active // resync: 60 seconds // deadline: 60 seconds (send request) diff --git a/pkg/webhooks/validation.go b/pkg/webhooks/validation.go index d0b49347ad..d35b7027fd 100644 --- a/pkg/webhooks/validation.go +++ b/pkg/webhooks/validation.go @@ -17,9 +17,17 @@ import ( // HandleValidation handles validating webhook admission request // If there are no errors in validating rule we apply generation rules // patchedResource is the (resource + patches) after applying mutation rules -func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, policies []kyverno.ClusterPolicy, patchedResource []byte, roles, clusterRoles []string) (bool, string) { - logger := ws.log.WithValues("action", "validation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation) - logger.V(4).Info("incoming request") +func (ws *WebhookServer) HandleValidation( + request *v1beta1.AdmissionRequest, + policies []kyverno.ClusterPolicy, + patchedResource []byte, roles, clusterRoles []string) (bool, string) { + + resourceName := request.Kind.Kind + "/" + request.Name + if request.Namespace != "" { + resourceName = request.Namespace + "/" + resourceName + } + + logger := ws.log.WithValues("action", "validate", "resource", resourceName, "operation", request.Operation) // Get new and old resource newR, oldR, err := extractResources(patchedResource, request) @@ -28,6 +36,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol logger.Error(err, "failed to extract resource") return true, "" } + userRequestInfo := kyverno.RequestInfo{ Roles: roles, ClusterRoles: clusterRoles, @@ -58,7 +67,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol } var engineResponses []response.EngineResponse for _, policy := range policies { - logger.V(2).Info("evaluating policy", "policy", policy.Name) + logger.V(3).Info("evaluating policy", "policy", policy.Name) policyContext.Policy = policy engineResponse := engine.Validate(policyContext) if reflect.DeepEqual(engineResponse, response.EngineResponse{}) { From 573eb9cf13313d95b2a249cd06192fc280794d01 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sun, 17 May 2020 14:48:17 -0700 Subject: [PATCH 6/7] increase worker count for policyController --- cmd/kyverno/main.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index 2413177ad2..42cea9532b 100644 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -175,7 +175,7 @@ func main() { // - reconciliation policy and policy violation // - process policy on existing resources // - status aggregator: receives stats when a policy is applied & updates the policy status - pc, err := policy.NewPolicyController(pclient, + policyCtrl, err := policy.NewPolicyController(pclient, client, pInformer.Kyverno().V1().ClusterPolicies(), pInformer.Kyverno().V1().ClusterPolicyViolations(), @@ -286,7 +286,7 @@ func main() { go rWebhookWatcher.Run(stopCh) go configData.Run(stopCh) go policyMetaStore.Run(stopCh) - go pc.Run(1, stopCh) + go policyCtrl.Run(3, stopCh) go egen.Run(1, stopCh) go grc.Run(1, stopCh) go grcc.Run(1, stopCh) From b763c33a292f11445edba124cd5b47ea4b6b89f2 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sun, 17 May 2020 17:58:57 -0700 Subject: [PATCH 7/7] fix mock discover client --- pkg/dclient/utils.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkg/dclient/utils.go b/pkg/dclient/utils.go index 8b170eb094..0ed2459901 100644 --- a/pkg/dclient/utils.go +++ b/pkg/dclient/utils.go @@ -1,10 +1,12 @@ package client import ( + "fmt" "strings" openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2" + meta "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" @@ -76,6 +78,10 @@ func (c *fakeDiscoveryClient) GetGVRFromKind(kind string) schema.GroupVersionRes return c.getGVR(resource) } +func (c *fakeDiscoveryClient) FindResource(kind string) (*meta.APIResource, schema.GroupVersionResource, error) { + return nil, schema.GroupVersionResource{}, fmt.Errorf("Not implemented") +} + func (c *fakeDiscoveryClient) OpenAPISchema() (*openapi_v2.Document, error) { return nil, nil }