Match endpoint to the exact Kyverno Pod's IP (#1787)

* update log message Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update printer column - validation failure action Signed-off-by: Shuting Zhao <shutting06@gmail.com> * match endpoint ip with the exact pod ip Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add tag "app.kubernetes.io/name"; - reduce throttling requests when deletes webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add [SelfSubjectAccessReview,*,*] to resource filters Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2025-03-31 03:45:17 +00:00 · 2021-04-12 20:29:51 -07:00 · 2021-04-12 20:29:51 -07:00 · 9dab21619f
commit 9dab21619f
parent fae48094d8
8 changed files with 85 additions and 12 deletions
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -116,6 +116,7 @@ config:
  - "[APIService,*,*]"
  - "[TokenReview,*,*]"
  - "[SubjectAccessReview,*,*]"
+  - "[SelfSubjectAccessReview,*,*]"
  - "[*,kyverno,*]"
  - "[Binding,*,*]"
  - "[ReplicaSet,*,*]"
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@ -2386,7 +2386,7 @@ subjects:
 apiVersion: v1
 data:
  excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler
-  resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
+  resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
 kind: ConfigMap
 metadata:
  name: init-config
@ -2397,6 +2397,7 @@ kind: Service
 metadata:
  labels:
    app: kyverno
+    app.kubernetes.io/name: kyverno
  name: kyverno-svc
  namespace: kyverno
 spec:
@ -2405,12 +2406,14 @@ spec:
    targetPort: https
  selector:
    app: kyverno
+    app.kubernetes.io/name: kyverno
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
    app: kyverno
+    app.kubernetes.io/name: kyverno
  name: kyverno
  namespace: kyverno
 spec:
@ -2418,10 +2421,12 @@ spec:
  selector:
    matchLabels:
      app: kyverno
+      app.kubernetes.io/name: kyverno
  template:
    metadata:
      labels:
        app: kyverno
+        app.kubernetes.io/name: kyverno
    spec:
      containers:
      - args:
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@ -2386,7 +2386,7 @@ subjects:
 apiVersion: v1
 data:
  excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler
-  resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
+  resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
 kind: ConfigMap
 metadata:
  name: init-config
@ -2397,6 +2397,7 @@ kind: Service
 metadata:
  labels:
    app: kyverno
+    app.kubernetes.io/name: kyverno
  name: kyverno-svc
  namespace: kyverno
 spec:
@ -2405,3 +2406,4 @@ spec:
    targetPort: https
  selector:
    app: kyverno
+    app.kubernetes.io/name: kyverno
--- a/definitions/k8s-resource/clusterroles.yaml
+++ b/definitions/k8s-resource/clusterroles.yaml
@ -11,12 +11,14 @@ metadata:
  name: kyverno-svc
  labels:
    app: kyverno
+    app.kubernetes.io/name: kyverno
 spec:
  ports:
  - port: 443
    targetPort: https
  selector:
    app: kyverno
+    app.kubernetes.io/name: kyverno
 ---
 apiVersion: v1
 kind: ServiceAccount
--- a/definitions/k8s-resource/configmap.yaml
+++ b/definitions/k8s-resource/configmap.yaml
@ -1,6 +1,6 @@
 apiVersion: v1
 data:
-  resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
+  resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
  excludeGroupRole: 'system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler'
 kind: ConfigMap
 metadata:
--- a/definitions/manifest/deployment.yaml
+++ b/definitions/manifest/deployment.yaml
@ -6,15 +6,18 @@ metadata:
  name: kyverno
  labels:
    app: kyverno
+    app.kubernetes.io/name: kyverno
 spec:
  selector:
    matchLabels:
      app: kyverno
+      app.kubernetes.io/name: kyverno
  replicas: 1
  template:
    metadata:
      labels:
        app: kyverno
+        app.kubernetes.io/name: kyverno
    spec:
      serviceAccountName: kyverno-service-account
      securityContext:
--- a/pkg/webhookconfig/registration.go
+++ b/pkg/webhookconfig/registration.go
@ -316,6 +316,14 @@ func (wrc *Register) removePolicyMutatingWebhookConfiguration(wg *sync.WaitGroup
 	mutatingConfig := wrc.getPolicyMutatingWebhookConfigurationName()

 	logger := wrc.log.WithValues("kind", kindMutating, "name", mutatingConfig)
+
+	if mutateCache, ok := wrc.resCache.GetGVRCache("MutatingWebhookConfiguration"); ok {
+		if _, err := mutateCache.Lister().Get(mutatingConfig); err != nil && errorsapi.IsNotFound(err) {
+			logger.V(4).Info("webhook not found")
+			return
+		}
+	}
+
 	err := wrc.client.DeleteResource("", kindMutating, "", mutatingConfig, false)
 	if errorsapi.IsNotFound(err) {
 		logger.V(5).Info("policy mutating webhook configuration not found")
@ -346,6 +354,13 @@ func (wrc *Register) removePolicyValidatingWebhookConfiguration(wg *sync.WaitGro
 	validatingConfig := wrc.getPolicyValidatingWebhookConfigurationName()

 	logger := wrc.log.WithValues("kind", kindValidating, "name", validatingConfig)
+	if mutateCache, ok := wrc.resCache.GetGVRCache("ValidatingWebhookConfiguration"); ok {
+		if _, err := mutateCache.Lister().Get(validatingConfig); err != nil && errorsapi.IsNotFound(err) {
+			logger.V(4).Info("webhook not found")
+			return
+		}
+	}
+
 	logger.V(4).Info("removing validating webhook configuration")
 	err := wrc.client.DeleteResource("", kindValidating, "", validatingConfig, false)
 	if errorsapi.IsNotFound(err) {
@ -424,8 +439,15 @@ func (wrc *Register) removeVerifyWebhookMutatingWebhookConfig(wg *sync.WaitGroup

 	var err error
 	mutatingConfig := wrc.getVerifyWebhookMutatingWebhookName()
-
 	logger := wrc.log.WithValues("kind", kindMutating, "name", mutatingConfig)
+
+	if mutateCache, ok := wrc.resCache.GetGVRCache("MutatingWebhookConfiguration"); ok {
+		if _, err := mutateCache.Lister().Get(mutatingConfig); err != nil && errorsapi.IsNotFound(err) {
+			logger.V(4).Info("webhook not found")
+			return
+		}
+	}
+
 	err = wrc.client.DeleteResource("", kindMutating, "", mutatingConfig, false)
 	if errorsapi.IsNotFound(err) {
 		logger.V(5).Info("verify webhook configuration not found")
@ -464,7 +486,7 @@ func (wrc *Register) removeSecrets() {
 	}

 	secretList, err := wrc.client.ListResource("", "Secret", config.KyvernoNamespace, selector)
-	if err != nil && errorsapi.IsNotFound(err) {
+	if err != nil {
 		wrc.log.Error(err, "failed to clean up Kyverno managed secrets")
 		return
 	}
@ -479,24 +501,45 @@ func (wrc *Register) removeSecrets() {
 func (wrc *Register) checkEndpoint() error {
 	obj, err := wrc.client.GetResource("", "Endpoints", config.KyvernoNamespace, config.KyvernoServiceName)
 	if err != nil {
-		wrc.log.Error(err, "failed to get endpoint", "ns", config.KyvernoNamespace, "name", config.KyvernoServiceName)
-		return err
+		return fmt.Errorf("failed to get endpoint %s/%s: %v", config.KyvernoNamespace, config.KyvernoServiceName, err)
 	}
 	var endpoint corev1.Endpoints
 	err = runtime.DefaultUnstructuredConverter.FromUnstructured(obj.UnstructuredContent(), &endpoint)
 	if err != nil {
-		wrc.log.Error(err, "failed to convert endpoint from unstructured", "ns", config.KyvernoNamespace, "name", config.KyvernoServiceName)
-		return err
+		return fmt.Errorf("failed to convert endpoint %s/%s from unstructured: %v", config.KyvernoNamespace, config.KyvernoServiceName, err)
 	}
+
+	pods, err := wrc.client.ListResource("", "Pod", config.KyvernoNamespace, &v1.LabelSelector{MatchLabels: map[string]string{"app.kubernetes.io/name": "kyverno"}})
+	if err != nil {
+		return fmt.Errorf("failed to list Kyverno Pod: %v", err)
+	}
+
+	kyverno := pods.Items[0]
+	podIp, _, err := unstructured.NestedString(kyverno.UnstructuredContent(), "status", "podIP")
+	if err != nil {
+		return fmt.Errorf("failed to extract pod IP: %v", err)
+	}
+
+	if podIp == "" {
+		return fmt.Errorf("Pod is not assigned to any node yet")
+	}
+
 	for _, subset := range endpoint.Subsets {
 		if len(subset.Addresses) == 0 {
 			continue
 		}
-		if subset.Addresses[0].IP != "" {
+
+		for _, addr := range subset.Addresses {
+			if addr.IP == podIp {
 				wrc.log.Info("Endpoint ready", "ns", config.KyvernoNamespace, "name", config.KyvernoServiceName)
 				return nil
 			}
 		}
+	}
+
+	// clean up old webhook configurations, if any
+	wrc.removeWebhookConfigurations()
+
 	err = fmt.Errorf("Endpoint not ready")
 	wrc.log.V(3).Info(err.Error(), "ns", config.KyvernoNamespace, "name", config.KyvernoServiceName)
 	return err
--- a/pkg/webhookconfig/resource.go
+++ b/pkg/webhookconfig/resource.go
@ -7,6 +7,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/config"
 	admregapi "k8s.io/api/admissionregistration/v1beta1"
 	"k8s.io/apimachinery/pkg/api/errors"
+	errorsapi "k8s.io/apimachinery/pkg/api/errors"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

@ -70,6 +71,14 @@ func (wrc *Register) removeResourceMutatingWebhookConfiguration(wg *sync.WaitGro

 	configName := wrc.getResourceMutatingWebhookConfigName()
 	logger := wrc.log.WithValues("kind", kindMutating, "name", configName)
+
+	if mutateCache, ok := wrc.resCache.GetGVRCache("MutatingWebhookConfiguration"); ok {
+		if _, err := mutateCache.Lister().Get(configName); err != nil && errorsapi.IsNotFound(err) {
+			logger.V(4).Info("webhook not found")
+			return
+		}
+	}
+
 	// delete webhook configuration
 	err := wrc.client.DeleteResource("", kindMutating, "", configName, false)
 	if errors.IsNotFound(err) {
@ -146,6 +155,14 @@ func (wrc *Register) removeResourceValidatingWebhookConfiguration(wg *sync.WaitG

 	configName := wrc.getResourceValidatingWebhookConfigName()
 	logger := wrc.log.WithValues("kind", kindValidating, "name", configName)
+
+	if mutateCache, ok := wrc.resCache.GetGVRCache("ValidatingWebhookConfiguration"); ok {
+		if _, err := mutateCache.Lister().Get(configName); err != nil && errorsapi.IsNotFound(err) {
+			logger.V(4).Info("webhook not found")
+			return
+		}
+	}
+
 	err := wrc.client.DeleteResource("", kindValidating, "", configName, false)
 	if errors.IsNotFound(err) {
 		logger.V(5).Info("webhook configuration not found")