NK-31: Put constants in separate file. Updated install.yaml definition to create Service and DaemonSet. Fixed bug with webhook registration.

constants/constants.go

@@ -0,0 +1,17 @@
+package constants
+
+const (
+	// These constants MUST be equal to the corresponding names in service definition in definitions/install.yaml
+	WebhookServiceNamespace = "kube-system"
+	WebhookServiceName = "kube-policy-svc"
+
+	WebhookConfigName = "nirmata-kube-policy-webhook-cfg"
+	MutationWebhookName = "webhook.nirmata.kube-policy"
+)
+
+var (
+	WebhookServicePath = "/mutate"
+	WebhookConfigLabels = map[string]string {
+		"app": "kube-policy",
+	}
+)

definitions/examples/selector-policy.yaml

@@ -1,21 +0,0 @@
-apiVersion: policy.nirmata.io/v1alpha1
-kind : Policy
-metadata:
-  name: selector-policy
-spec:
-  failurePolicy: continueOnError
-  rules:
-  - resource:
-      kind: ConfigMap 
-      selector: 
-        matchLabels:
-          label1: test1
-        matchExpressions:
-        - key: label2
-          operator: In
-          values:
-          - test2
-    patch: 
-    - path: /
-      op : add
-      value : "20"

definitions/install.yaml

@@ -145,3 +145,72 @@ spec:
                         type: object
                         additionalProperties:
                           type: string
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: kube-system
+  name: kube-policy-svc
+  labels:
+    app: kube-policy
+spec:
+  ports:
+  - port: 443
+    targetPort: 443
+  selector:
+    app: kube-policy
+#---
+#apiVersion: v1
+#kind: ServiceAccount
+#metadata:
+#  name: kube-policy-service-account
+#  namespace: kube-system
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: kube-policy-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: kube-system
+---
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+  labels:
+    app: kube-policy
+    tier: node
+  name: kube-policy-daemon
+  namespace: kube-system
+spec:
+  template:
+    metadata:
+      labels:
+        app: kube-policy
+        tier: node
+    spec:
+      #serviceAccountName: kube-policy-service-account
+      #serviceAccount: kube-policy-service-account
+      containers:
+      - name: kube-policy
+        image: nirmata/kube-policy:latest
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 443
+        securityContext:
+          privileged: true
+      hostNetwork: true
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Exists
+      - effect: NoSchedule
+        key: node.kubernetes.io/not-ready
+        operator: Exists

init.go

@@ -6,16 +6,13 @@ import (
 	"net/url"
 
 	"github.com/nirmata/kube-policy/kubeclient"
+	"github.com/nirmata/kube-policy/constants"
 	"github.com/nirmata/kube-policy/utils"
 
 	rest "k8s.io/client-go/rest"
 	clientcmd "k8s.io/client-go/tools/clientcmd"
 )
 
-// These constants MUST be equal to the corresponding names in service definition in definitions/install.yaml
-const serviceName string = "kube-policy-svc"
-const namespace string = "default"
-
 func createClientConfig(kubeconfig string) (*rest.Config, error) {
 	if kubeconfig == "" {
 		log.Printf("Using in-cluster configuration")
@@ -29,13 +26,13 @@ func createClientConfig(kubeconfig string) (*rest.Config, error) {
 func readTlsPairFromFiles(certFile, keyFile string) *utils.TlsPemPair {
 	certContent, err := ioutil.ReadFile(certFile)
 	if err != nil {
-		log.Printf("Unable to read file with TLS certificate: %v", err)
+		log.Printf("Unable to read file with TLS certificate: path - %s, error - %v", certFile, err)
 		return nil
 	}
 
 	keyContent, err := ioutil.ReadFile(keyFile)
 	if err != nil {
-		log.Printf("Unable to read file with TLS private key: %v", err)
+		log.Printf("Unable to read file with TLS private key: path - %s, error - %v", keyFile, err)
 		return nil
 	}
 
@@ -53,8 +50,8 @@ func initTlsPemsPair(config *rest.Config, client *kubeclient.KubeClient) (*utils
 		return nil, err
 	}
 	certProps := utils.TlsCertificateProps{
-		Service:       serviceName,
-		Namespace:     namespace,
+		Service:       constants.WebhookServiceName,
+		Namespace:     constants.WebhookServiceNamespace,
 		ApiServerHost: apiServerUrl.Hostname(),
 	}
 

main.go

@@ -24,7 +24,7 @@ func main() {
 		log.Fatalf("Error building kubeconfig: %v\n", err)
 	}
 
-	_, err = webhooks.RegisterMutationWebhook(clientConfig)
+	err = webhooks.RegisterMutationWebhook(clientConfig)
 	if err != nil {
 		log.Fatalf("Error registering mutation webhook server: %v\n", err)
 	}

server/server.go

@@ -14,8 +14,9 @@ import (
 
 	"github.com/nirmata/kube-policy/controller"
 	"github.com/nirmata/kube-policy/kubeclient"
-	"github.com/nirmata/kube-policy/utils"
+	"github.com/nirmata/kube-policy/constants"
 	"github.com/nirmata/kube-policy/webhooks"
+	"github.com/nirmata/kube-policy/utils"
 
 	v1beta1 "k8s.io/api/admission/v1beta1"
 )
@@ -66,7 +67,7 @@ func NewWebhookServer(config WebhookServerConfig, logger *log.Logger) (*WebhookS
 	}
 
 	mux := http.NewServeMux()
-	mux.HandleFunc("/mutate", ws.serve)
+	mux.HandleFunc(constants.WebhookServicePath, ws.serve)
 
 	ws.server = http.Server{
 		Addr:         ":443", // Listen on port for HTTPS requests
@@ -82,7 +83,7 @@ func NewWebhookServer(config WebhookServerConfig, logger *log.Logger) (*WebhookS
 
 // Main server endpoint for all requests
 func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
-	if r.URL.Path == "/mutate" {
+	if r.URL.Path == constants.WebhookServicePath {
 		admissionReview := ws.parseAdmissionReview(r, w)
 		if admissionReview == nil {
 			return

webhooks/registration.go

@@ -1,58 +1,44 @@
 package webhooks
+
 import (
 	"io/ioutil"
 
+	"github.com/nirmata/kube-policy/constants"
+
 	rest "k8s.io/client-go/rest"
 	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
 	adm "k8s.io/api/admissionregistration/v1beta1"
-	types "k8s.io/api/admissionregistration/v1beta1"
 	admreg "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1"
 )
 
-const (
-	webhookName = "nirmata-kube-policy-webhook-cfg"
-	mutationWebhookName = "webhook.nirmata.kube-policy"
-	webhookServiceNamespace = "default"
-	webhookServiceName = "kube-policy-svc"
-)
-
-var (
-	webhookPath = "mutate"
-	webhookLabels = map[string]string {
-	    "app": "kube-policy",
-    }
-)
-
-func RegisterMutationWebhook(config *rest.Config) (*types.MutatingWebhookConfiguration, error) {
-var result *types.MutatingWebhookConfiguration = nil
-
+func RegisterMutationWebhook(config *rest.Config) error {
 	registrationClient, err := admreg.NewForConfig(config)
 	if err != nil {
-		return nil, err
+		return err
 	}
 
-	result, err = registrationClient.MutatingWebhookConfigurations().Create(constructWebhookConfig(config))
+	_, err = registrationClient.MutatingWebhookConfigurations().Create(constructWebhookConfig(config))
 	if err != nil {
-		return nil, err
+		return err
 	}
 
-	return result, nil
+	return nil
 }
 
 func constructWebhookConfig(config *rest.Config) *adm.MutatingWebhookConfiguration {
 	return &adm.MutatingWebhookConfiguration {
 		ObjectMeta: meta.ObjectMeta {
-			Name: webhookName,
-			Labels: webhookLabels,
+			Name: constants.WebhookConfigName,
+			Labels: constants.WebhookConfigLabels,
 		},
 		Webhooks: []adm.Webhook {
 			adm.Webhook {
-				Name: mutationWebhookName,
+				Name: constants.MutationWebhookName,
 				ClientConfig: adm.WebhookClientConfig {
                     Service: &adm.ServiceReference {
-						Namespace: webhookServiceNamespace,
-						Name: webhookServiceName,
-						Path: &webhookPath,
+						Namespace: constants.WebhookServiceNamespace,
+						Name: constants.WebhookServiceName,
+						Path: &constants.WebhookServicePath,
 					},
 					CABundle: ExtractCA(config),
 				},