mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-13 19:28:55 +00:00
Code Activity

Bugfixes - handle verifyImage rules for webhooks configurations (#2501)

Browse source 
* dynamic webhooks for verifyImages rule

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* add namespace env to the initContainer

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* add debug log

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* update operator schema validation tag

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* set policy to ready if auto-update-webhook disabled

Signed-off-by: ShutingZhao <shutting06@gmail.com>
This commit is contained in:
shuting 2021-10-07 13:50:30 -07:00 committed by GitHub
parent f67f847901
commit 9dc2c2b4bf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 7191 additions and 4454 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3954
charts/kyverno/templates/crds.yaml
View file

File diff suppressed because it is too large Load diff

48
definitions/crds/kyverno.io_clusterpolicies.yaml
View file

@ -1530,6 +1530,14 @@ spec:
- NotEquals
- In
- NotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: Value is the conditional value,
@ -1562,6 +1570,14 @@ spec:
- NotEquals
- In
- NotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: Value is the conditional value,
@ -1754,6 +1770,14 @@ spec:
- NotEquals
- In
- NotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: Value is the conditional value,
@ -1786,6 +1810,14 @@ spec:
- NotEquals
- In
- NotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: Value is the conditional value,
@ -1866,6 +1898,14 @@ spec:
- NotEquals
- In
- NotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: Value is the conditional
@ -1900,6 +1940,14 @@ spec:
- NotEquals
- In
- NotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: Value is the conditional

48
definitions/crds/kyverno.io_policies.yaml
View file

@ -1531,6 +1531,14 @@ spec:
- NotEquals
- In
- NotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: Value is the conditional value,
@ -1563,6 +1571,14 @@ spec:
- NotEquals
- In
- NotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: Value is the conditional value,
@ -1755,6 +1771,14 @@ spec:
- NotEquals
- In
- NotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: Value is the conditional value,
@ -1787,6 +1811,14 @@ spec:
- NotEquals
- In
- NotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: Value is the conditional value,
@ -1867,6 +1899,14 @@ spec:
- NotEquals
- In
- NotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: Value is the conditional
@ -1901,6 +1941,14 @@ spec:
- NotEquals
- In
- NotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: Value is the conditional

3772
definitions/install.yaml
View file

File diff suppressed because it is too large Load diff

3772
definitions/install_debug.yaml
View file

File diff suppressed because it is too large Load diff

4
definitions/manifest/deployment.yaml
View file

@ -58,6 +58,10 @@ spec:
env:
- name: METRICS_CONFIG
value: kyverno-metrics
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
containers:
- name: kyverno
image: ghcr.io/kyverno/kyverno:latest

2
pkg/api/kyverno/v1/policy_types.go
View file

@ -218,7 +218,7 @@ type Condition struct {
}
// ConditionOperator is the operation performed on condition key and value.
// +kubebuilder:validation:Enum=Equals;NotEquals;In;NotIn
// +kubebuilder:validation:Enum=Equals;NotEquals;In;NotIn;GreaterThanOrEquals;GreaterThan;LessThanOrEquals;LessThan;DurationGreaterThanOrEquals;DurationGreaterThan;DurationLessThanOrEquals;DurationLessThan
type ConditionOperator string
const (

37
pkg/webhookconfig/configmanager.go
View file

@ -62,6 +62,8 @@ type webhookConfigManager struct {
queue workqueue.RateLimitingInterface
autoUpdateWebhooks bool
// wildcardPolicy indicates the number of policies that matches all kinds (*) defined
wildcardPolicy int64
@ -82,6 +84,7 @@ func newWebhookConfigManager(
pInformer kyvernoinformer.ClusterPolicyInformer,
npInformer kyvernoinformer.PolicyInformer,
resCache resourcecache.ResourceCache,
autoUpdateWebhooks bool,
createDefaultWebhook chan<- string,
stopCh <-chan struct{},
log logr.Logger) manage {
@ -94,6 +97,7 @@ func newWebhookConfigManager(
resCache: resCache,
queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "configmanager"),
wildcardPolicy: 0,
autoUpdateWebhooks: autoUpdateWebhooks,
createDefaultWebhook: createDefaultWebhook,
stopCh: stopCh,
log: log,
@ -368,20 +372,23 @@ func (m *webhookConfigManager) reconcileWebhook(namespace, name string) error {
return errors.Wrapf(err, "unable to get policy object %s/%s", namespace, name)
}
webhooks, err := m.buildWebhooks(namespace)
if err != nil {
return err
}
ready := true
if err := m.updateWebhookConfig(webhooks); err != nil {
ready = false
logger.Error(err, "failed to update webhook configurations for policy")
}
// build webhook only if auto-update is enabled, otherwise directly update status to ready
if m.autoUpdateWebhooks {
webhooks, err := m.buildWebhooks(namespace)
if err != nil {
return err
}
// DELETION of the policy
if policy == nil {
return nil
if err := m.updateWebhookConfig(webhooks); err != nil {
ready = false
logger.Error(err, "failed to update webhook configurations for policy")
}
// DELETION of the policy
if policy == nil {
return nil
}
}
if err := m.updateStatus(policy, ready); err != nil {
@ -479,7 +486,7 @@ func (m *webhookConfigManager) buildWebhooks(namespace string) (res []*webhook,
}
}
if p.HasMutate() || p.HasGenerate() {
if p.HasMutate() || p.HasVerifyImages() || p.HasGenerate() {
if p.Spec.FailurePolicy != nil && *p.Spec.FailurePolicy == kyverno.Ignore {
m.mergeWebhook(mutateIgnore, p, false)
} else {
@ -663,7 +670,8 @@ func (m *webhookConfigManager) mergeWebhook(dst *webhook, policy *kyverno.Cluste
}
if (updateValidate && rule.HasValidate()) ||
(!updateValidate && rule.HasMutate()) {
(!updateValidate && rule.HasMutate()) ||
(!updateValidate && rule.HasVerifyImages()) {
matchedGVK = append(matchedGVK, rule.MatchKinds()...)
}
}
@ -678,6 +686,7 @@ func (m *webhookConfigManager) mergeWebhook(dst *webhook, policy *kyverno.Cluste
gv, k := common.GetKindFromGVK(gvk)
_, gvr, err := m.client.DiscoveryClient.FindResource(gv, k)
if err != nil {
m.log.Error(err, "unable to convert GVK to GVR", "GVK", gvk)
continue
}
gvrList = append(gvrList, gvr)

8
pkg/webhookconfig/registration.go
View file

@ -79,9 +79,7 @@ func NewRegister(
createDefaultWebhook: make(chan string),
}
if register.autoUpdateWebhooks {
register.manage = newWebhookConfigManager(client, kyvernoClient, pInformer, npInformer, resCache, register.createDefaultWebhook, stopCh, log.WithName("WebhookConfigManager"))
}
register.manage = newWebhookConfigManager(client, kyvernoClient, pInformer, npInformer, resCache, register.autoUpdateWebhooks, register.createDefaultWebhook, stopCh, log.WithName("WebhookConfigManager"))
return register
}
@ -129,9 +127,7 @@ func (wrc *Register) Register() error {
return fmt.Errorf("%s", strings.Join(errors, ","))
}
if wrc.autoUpdateWebhooks {
go wrc.manage.start()
}
go wrc.manage.start()
return nil
}