mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
feat: add webhook annotations support in config map (#6579)
* feat: add webhook annotations support in config map Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * release notes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * example Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
dbfeb75793
commit
a08d0b8749
12 changed files with 117 additions and 42 deletions
|
|
@ -7,6 +7,7 @@
|
|||
- Removed `GenerateRequest` CRD.
|
||||
- Refactored `kyverno` chart, migration instructions are available in chart `README.md`.
|
||||
- Image references in the json context are not mutated to canonical form anymore, do not assume a registry domain is always present.
|
||||
- Added support for configuring webhook annotations in the config map through `webhookAnnotations` stanza.
|
||||
|
||||
## v1.9.0-rc.1
|
||||
|
||||
|
|
|
|||
|
|
@ -34,3 +34,5 @@ annotations:
|
|||
description: change dashboard title of kyverno grafana dashboard
|
||||
- kind: added
|
||||
description: view aggregated cluster role support
|
||||
- kind: added
|
||||
description: support for webhook annotations in config map
|
||||
|
|
|
|||
|
|
@ -197,6 +197,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| config.generateSuccessEvents | bool | `false` | Generate success events. |
|
||||
| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
|
||||
| config.webhooks | list | `[]` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
|
||||
| config.webhookAnnotations | object | `{}` | Defines annotations to set on webhook configurations. |
|
||||
| metricsConfig.create | bool | `true` | Create the configmap. |
|
||||
| metricsConfig.name | string | `nil` | The configmap name (required if `create` is `false`). |
|
||||
| metricsConfig.annotations | object | `{}` | Additional annotations to add to the configmap. |
|
||||
|
|
|
|||
|
|
@ -39,4 +39,7 @@ data:
|
|||
{{- else if .Values.excludeKyvernoNamespace }}
|
||||
webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["{{ include "kyverno.namespace" . }}"]}]}}]'
|
||||
{{- end -}}
|
||||
{{- with .Values.config.webhookAnnotations }}
|
||||
webhookAnnotations: {{ toJson . | quote }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
|
|||
|
|
@ -112,6 +112,11 @@ config:
|
|||
# - key: webhooks.kyverno.io/exclude
|
||||
# operator: DoesNotExist
|
||||
|
||||
# -- Defines annotations to set on webhook configurations.
|
||||
webhookAnnotations: {}
|
||||
# Example to disable admission enforcer on AKS:
|
||||
# 'admissions.enforcer/disabled': 'true'
|
||||
|
||||
# Metrics configuration
|
||||
metricsConfig:
|
||||
|
||||
|
|
|
|||
|
|
@ -123,6 +123,7 @@ func main() {
|
|||
kubeClient.AdmissionregistrationV1().ValidatingWebhookConfigurations(),
|
||||
kubeInformer.Admissionregistration().V1().ValidatingWebhookConfigurations(),
|
||||
kubeKyvernoInformer.Core().V1().Secrets(),
|
||||
kubeKyvernoInformer.Core().V1().ConfigMaps(),
|
||||
config.CleanupValidatingWebhookConfigurationName,
|
||||
config.CleanupValidatingWebhookServicePath,
|
||||
serverIP,
|
||||
|
|
|
|||
|
|
@ -183,6 +183,7 @@ func createrLeaderControllers(
|
|||
kubeClient.AdmissionregistrationV1().ValidatingWebhookConfigurations(),
|
||||
kubeInformer.Admissionregistration().V1().ValidatingWebhookConfigurations(),
|
||||
kubeKyvernoInformer.Core().V1().Secrets(),
|
||||
kubeKyvernoInformer.Core().V1().ConfigMaps(),
|
||||
config.ExceptionValidatingWebhookConfigurationName,
|
||||
config.ExceptionValidatingWebhookServicePath,
|
||||
serverIP,
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ import (
|
|||
|
||||
valid "github.com/asaskevich/govalidator"
|
||||
osutils "github.com/kyverno/kyverno/pkg/utils/os"
|
||||
wildcard "github.com/kyverno/kyverno/pkg/utils/wildcard"
|
||||
"github.com/kyverno/kyverno/pkg/utils/wildcard"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
|
@ -149,6 +149,8 @@ type Configuration interface {
|
|||
GetGenerateSuccessEvents() bool
|
||||
// GetWebhooks returns the webhook configs
|
||||
GetWebhooks() []WebhookConfig
|
||||
// GetWebhookAnnotations returns annotations to set on webhook configs
|
||||
GetWebhookAnnotations() map[string]string
|
||||
// Load loads configuration from a configmap
|
||||
Load(cm *corev1.ConfigMap)
|
||||
}
|
||||
|
|
@ -162,8 +164,9 @@ type configuration struct {
|
|||
excludeBackgroundUsernames []string
|
||||
filters []filter
|
||||
generateSuccessEvents bool
|
||||
mux sync.RWMutex
|
||||
webhooks []WebhookConfig
|
||||
webhookAnnotations map[string]string
|
||||
mux sync.RWMutex
|
||||
}
|
||||
|
||||
// NewDefaultConfiguration ...
|
||||
|
|
@ -248,6 +251,12 @@ func (cd *configuration) GetWebhooks() []WebhookConfig {
|
|||
return cd.webhooks
|
||||
}
|
||||
|
||||
func (cd *configuration) GetWebhookAnnotations() map[string]string {
|
||||
cd.mux.RLock()
|
||||
defer cd.mux.RUnlock()
|
||||
return cd.webhookAnnotations
|
||||
}
|
||||
|
||||
func (cd *configuration) Load(cm *corev1.ConfigMap) {
|
||||
if cm != nil {
|
||||
cd.load(cm)
|
||||
|
|
@ -336,6 +345,16 @@ func (cd *configuration) load(cm *corev1.ConfigMap) {
|
|||
cd.webhooks = webhooks
|
||||
}
|
||||
}
|
||||
// load webhook annotations
|
||||
webhookAnnotations, ok := cm.Data["webhookAnnotations"]
|
||||
if ok {
|
||||
webhookAnnotations, err := parseWebhookAnnotations(webhookAnnotations)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to parse webhook annotations")
|
||||
} else {
|
||||
cd.webhookAnnotations = webhookAnnotations
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (cd *configuration) unload() {
|
||||
|
|
@ -348,6 +367,7 @@ func (cd *configuration) unload() {
|
|||
cd.excludedGroups = []string{}
|
||||
cd.generateSuccessEvents = false
|
||||
cd.webhooks = nil
|
||||
cd.webhookAnnotations = nil
|
||||
cd.excludedGroups = append(cd.excludedGroups, defaultExcludedGroups...)
|
||||
cd.excludedUsernames = append(cd.excludedUsernames, defaultExcludedUsernames...)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,6 +21,14 @@ func parseWebhooks(webhooks string) ([]WebhookConfig, error) {
|
|||
return webhookCfgs, nil
|
||||
}
|
||||
|
||||
func parseWebhookAnnotations(in string) (map[string]string, error) {
|
||||
var out map[string]string
|
||||
if err := json.Unmarshal([]byte(in), &out); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return out, nil
|
||||
}
|
||||
|
||||
func parseRbac(list string) []string {
|
||||
return strings.Split(list, ",")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -40,8 +40,9 @@ type controller struct {
|
|||
vwcClient controllerutils.ObjectClient[*admissionregistrationv1.ValidatingWebhookConfiguration]
|
||||
|
||||
// listers
|
||||
vwcLister admissionregistrationv1listers.ValidatingWebhookConfigurationLister
|
||||
secretLister corev1listers.SecretNamespaceLister
|
||||
vwcLister admissionregistrationv1listers.ValidatingWebhookConfigurationLister
|
||||
secretLister corev1listers.SecretNamespaceLister
|
||||
configMapLister corev1listers.ConfigMapLister
|
||||
|
||||
// queue
|
||||
queue workqueue.RateLimitingInterface
|
||||
|
|
@ -63,6 +64,7 @@ func NewController(
|
|||
vwcClient controllerutils.ObjectClient[*admissionregistrationv1.ValidatingWebhookConfiguration],
|
||||
vwcInformer admissionregistrationv1informers.ValidatingWebhookConfigurationInformer,
|
||||
secretInformer corev1informers.SecretInformer,
|
||||
configMapInformer corev1informers.ConfigMapInformer,
|
||||
webhookName string,
|
||||
path string,
|
||||
server string,
|
||||
|
|
@ -73,19 +75,20 @@ func NewController(
|
|||
) controllers.Controller {
|
||||
queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), controllerName)
|
||||
c := controller{
|
||||
vwcClient: vwcClient,
|
||||
vwcLister: vwcInformer.Lister(),
|
||||
secretLister: secretInformer.Lister().Secrets(config.KyvernoNamespace()),
|
||||
queue: queue,
|
||||
controllerName: controllerName,
|
||||
logger: logging.ControllerLogger(controllerName),
|
||||
webhookName: webhookName,
|
||||
path: path,
|
||||
server: server,
|
||||
servicePort: servicePort,
|
||||
rules: rules,
|
||||
failurePolicy: failurePolicy,
|
||||
sideEffects: sideEffects,
|
||||
vwcClient: vwcClient,
|
||||
vwcLister: vwcInformer.Lister(),
|
||||
secretLister: secretInformer.Lister().Secrets(config.KyvernoNamespace()),
|
||||
configMapLister: configMapInformer.Lister(),
|
||||
queue: queue,
|
||||
controllerName: controllerName,
|
||||
logger: logging.ControllerLogger(controllerName),
|
||||
webhookName: webhookName,
|
||||
path: path,
|
||||
server: server,
|
||||
servicePort: servicePort,
|
||||
rules: rules,
|
||||
failurePolicy: failurePolicy,
|
||||
sideEffects: sideEffects,
|
||||
}
|
||||
controllerutils.AddDefaultEventHandlers(c.logger, vwcInformer.Informer(), queue)
|
||||
controllerutils.AddEventHandlersT(
|
||||
|
|
@ -106,6 +109,24 @@ func NewController(
|
|||
}
|
||||
},
|
||||
)
|
||||
controllerutils.AddEventHandlersT(
|
||||
configMapInformer.Informer(),
|
||||
func(obj *corev1.ConfigMap) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.KyvernoConfigMapName() {
|
||||
c.enqueue()
|
||||
}
|
||||
},
|
||||
func(_, obj *corev1.ConfigMap) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.KyvernoConfigMapName() {
|
||||
c.enqueue()
|
||||
}
|
||||
},
|
||||
func(obj *corev1.ConfigMap) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.KyvernoConfigMapName() {
|
||||
c.enqueue()
|
||||
}
|
||||
},
|
||||
)
|
||||
return &c
|
||||
}
|
||||
|
||||
|
|
@ -118,6 +139,15 @@ func (c *controller) enqueue() {
|
|||
c.queue.Add(c.webhookName)
|
||||
}
|
||||
|
||||
func (c *controller) loadConfig() config.Configuration {
|
||||
cfg := config.NewDefaultConfiguration()
|
||||
cm, err := c.configMapLister.ConfigMaps(config.KyvernoNamespace()).Get(config.KyvernoConfigMapName())
|
||||
if err == nil {
|
||||
cfg.Load(cm)
|
||||
}
|
||||
return cfg
|
||||
}
|
||||
|
||||
func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _, _ string) error {
|
||||
if key != c.webhookName {
|
||||
return nil
|
||||
|
|
@ -126,7 +156,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _,
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
desired, err := c.build(caData)
|
||||
desired, err := c.build(c.loadConfig(), caData)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -140,6 +170,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _,
|
|||
}
|
||||
_, err = controllerutils.Update(ctx, observed, c.vwcClient, func(w *admissionregistrationv1.ValidatingWebhookConfiguration) error {
|
||||
w.Labels = desired.Labels
|
||||
w.Annotations = desired.Annotations
|
||||
w.OwnerReferences = desired.OwnerReferences
|
||||
w.Webhooks = desired.Webhooks
|
||||
return nil
|
||||
|
|
@ -147,19 +178,20 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _,
|
|||
return err
|
||||
}
|
||||
|
||||
func objectMeta(name string, owner ...metav1.OwnerReference) metav1.ObjectMeta {
|
||||
func objectMeta(name string, annotations map[string]string, owner ...metav1.OwnerReference) metav1.ObjectMeta {
|
||||
return metav1.ObjectMeta{
|
||||
Name: name,
|
||||
Labels: map[string]string{
|
||||
utils.ManagedByLabel: kyvernov1.ValueKyvernoApp,
|
||||
},
|
||||
Annotations: annotations,
|
||||
OwnerReferences: owner,
|
||||
}
|
||||
}
|
||||
|
||||
func (c *controller) build(caBundle []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
|
||||
func (c *controller) build(cfg config.Configuration, caBundle []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
|
||||
return &admissionregistrationv1.ValidatingWebhookConfiguration{
|
||||
ObjectMeta: objectMeta(c.webhookName),
|
||||
ObjectMeta: objectMeta(c.webhookName, cfg.GetWebhookAnnotations()),
|
||||
Webhooks: []admissionregistrationv1.ValidatingWebhook{{
|
||||
Name: fmt.Sprintf("%s.%s.svc", config.KyvernoServiceName(), config.KyvernoNamespace()),
|
||||
ClientConfig: c.clientConfig(caBundle),
|
||||
|
|
|
|||
|
|
@ -365,12 +365,12 @@ func (c *controller) reconcileVerifyMutatingWebhookConfiguration(ctx context.Con
|
|||
return c.reconcileMutatingWebhookConfiguration(ctx, true, c.buildVerifyMutatingWebhookConfiguration)
|
||||
}
|
||||
|
||||
func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func([]byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error)) error {
|
||||
func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(config.Configuration, []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error)) error {
|
||||
caData, err := tls.ReadRootCASecret(c.secretLister.Secrets(config.KyvernoNamespace()))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
desired, err := build(caData)
|
||||
desired, err := build(c.loadConfig(), caData)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -387,6 +387,7 @@ func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context
|
|||
}
|
||||
_, err = controllerutils.Update(ctx, observed, c.vwcClient, func(w *admissionregistrationv1.ValidatingWebhookConfiguration) error {
|
||||
w.Labels = desired.Labels
|
||||
w.Annotations = desired.Annotations
|
||||
w.OwnerReferences = desired.OwnerReferences
|
||||
w.Webhooks = desired.Webhooks
|
||||
return nil
|
||||
|
|
@ -394,12 +395,12 @@ func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context
|
|||
return err
|
||||
}
|
||||
|
||||
func (c *controller) reconcileMutatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func([]byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error)) error {
|
||||
func (c *controller) reconcileMutatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(config.Configuration, []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error)) error {
|
||||
caData, err := tls.ReadRootCASecret(c.secretLister.Secrets(config.KyvernoNamespace()))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
desired, err := build(caData)
|
||||
desired, err := build(c.loadConfig(), caData)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -416,6 +417,7 @@ func (c *controller) reconcileMutatingWebhookConfiguration(ctx context.Context,
|
|||
}
|
||||
_, err = controllerutils.Update(ctx, observed, c.mwcClient, func(w *admissionregistrationv1.MutatingWebhookConfiguration) error {
|
||||
w.Labels = desired.Labels
|
||||
w.Annotations = desired.Annotations
|
||||
w.OwnerReferences = desired.OwnerReferences
|
||||
w.Webhooks = desired.Webhooks
|
||||
return nil
|
||||
|
|
@ -520,9 +522,9 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
|
|||
return nil
|
||||
}
|
||||
|
||||
func (c *controller) buildVerifyMutatingWebhookConfiguration(caBundle []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error) {
|
||||
func (c *controller) buildVerifyMutatingWebhookConfiguration(cfg config.Configuration, caBundle []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error) {
|
||||
return &admissionregistrationv1.MutatingWebhookConfiguration{
|
||||
ObjectMeta: objectMeta(config.VerifyMutatingWebhookConfigurationName, c.buildOwner()...),
|
||||
ObjectMeta: objectMeta(config.VerifyMutatingWebhookConfigurationName, cfg.GetWebhookAnnotations(), c.buildOwner()...),
|
||||
Webhooks: []admissionregistrationv1.MutatingWebhook{{
|
||||
Name: config.VerifyMutatingWebhookName,
|
||||
ClientConfig: c.clientConfig(caBundle, config.VerifyMutatingWebhookServicePath),
|
||||
|
|
@ -546,9 +548,9 @@ func (c *controller) buildVerifyMutatingWebhookConfiguration(caBundle []byte) (*
|
|||
nil
|
||||
}
|
||||
|
||||
func (c *controller) buildPolicyMutatingWebhookConfiguration(caBundle []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error) {
|
||||
func (c *controller) buildPolicyMutatingWebhookConfiguration(cfg config.Configuration, caBundle []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error) {
|
||||
return &admissionregistrationv1.MutatingWebhookConfiguration{
|
||||
ObjectMeta: objectMeta(config.PolicyMutatingWebhookConfigurationName, c.buildOwner()...),
|
||||
ObjectMeta: objectMeta(config.PolicyMutatingWebhookConfigurationName, cfg.GetWebhookAnnotations(), c.buildOwner()...),
|
||||
Webhooks: []admissionregistrationv1.MutatingWebhook{{
|
||||
Name: config.PolicyMutatingWebhookName,
|
||||
ClientConfig: c.clientConfig(caBundle, config.PolicyMutatingWebhookServicePath),
|
||||
|
|
@ -568,9 +570,9 @@ func (c *controller) buildPolicyMutatingWebhookConfiguration(caBundle []byte) (*
|
|||
nil
|
||||
}
|
||||
|
||||
func (c *controller) buildPolicyValidatingWebhookConfiguration(caBundle []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
|
||||
func (c *controller) buildPolicyValidatingWebhookConfiguration(cfg config.Configuration, caBundle []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
|
||||
return &admissionregistrationv1.ValidatingWebhookConfiguration{
|
||||
ObjectMeta: objectMeta(config.PolicyValidatingWebhookConfigurationName, c.buildOwner()...),
|
||||
ObjectMeta: objectMeta(config.PolicyValidatingWebhookConfigurationName, cfg.GetWebhookAnnotations(), c.buildOwner()...),
|
||||
Webhooks: []admissionregistrationv1.ValidatingWebhook{{
|
||||
Name: config.PolicyValidatingWebhookName,
|
||||
ClientConfig: c.clientConfig(caBundle, config.PolicyValidatingWebhookServicePath),
|
||||
|
|
@ -589,9 +591,9 @@ func (c *controller) buildPolicyValidatingWebhookConfiguration(caBundle []byte)
|
|||
nil
|
||||
}
|
||||
|
||||
func (c *controller) buildDefaultResourceMutatingWebhookConfiguration(caBundle []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error) {
|
||||
func (c *controller) buildDefaultResourceMutatingWebhookConfiguration(cfg config.Configuration, caBundle []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error) {
|
||||
return &admissionregistrationv1.MutatingWebhookConfiguration{
|
||||
ObjectMeta: objectMeta(config.MutatingWebhookConfigurationName, c.buildOwner()...),
|
||||
ObjectMeta: objectMeta(config.MutatingWebhookConfigurationName, cfg.GetWebhookAnnotations(), c.buildOwner()...),
|
||||
Webhooks: []admissionregistrationv1.MutatingWebhook{{
|
||||
Name: config.MutatingWebhookName + "-ignore",
|
||||
ClientConfig: c.clientConfig(caBundle, config.MutatingWebhookServicePath+"/ignore"),
|
||||
|
|
@ -616,9 +618,9 @@ func (c *controller) buildDefaultResourceMutatingWebhookConfiguration(caBundle [
|
|||
nil
|
||||
}
|
||||
|
||||
func (c *controller) buildResourceMutatingWebhookConfiguration(caBundle []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error) {
|
||||
func (c *controller) buildResourceMutatingWebhookConfiguration(cfg config.Configuration, caBundle []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error) {
|
||||
result := admissionregistrationv1.MutatingWebhookConfiguration{
|
||||
ObjectMeta: objectMeta(config.MutatingWebhookConfigurationName, c.buildOwner()...),
|
||||
ObjectMeta: objectMeta(config.MutatingWebhookConfigurationName, cfg.GetWebhookAnnotations(), c.buildOwner()...),
|
||||
Webhooks: []admissionregistrationv1.MutatingWebhook{},
|
||||
}
|
||||
if c.watchdogCheck() {
|
||||
|
|
@ -639,7 +641,6 @@ func (c *controller) buildResourceMutatingWebhookConfiguration(caBundle []byte)
|
|||
}
|
||||
}
|
||||
}
|
||||
cfg := c.loadConfig()
|
||||
webhookCfg := config.WebhookConfig{}
|
||||
webhookCfgs := cfg.GetWebhooks()
|
||||
if len(webhookCfgs) > 0 {
|
||||
|
|
@ -685,13 +686,13 @@ func (c *controller) buildResourceMutatingWebhookConfiguration(caBundle []byte)
|
|||
return &result, nil
|
||||
}
|
||||
|
||||
func (c *controller) buildDefaultResourceValidatingWebhookConfiguration(caBundle []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
|
||||
func (c *controller) buildDefaultResourceValidatingWebhookConfiguration(cfg config.Configuration, caBundle []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
|
||||
sideEffects := &none
|
||||
if c.admissionReports {
|
||||
sideEffects = &noneOnDryRun
|
||||
}
|
||||
return &admissionregistrationv1.ValidatingWebhookConfiguration{
|
||||
ObjectMeta: objectMeta(config.ValidatingWebhookConfigurationName, c.buildOwner()...),
|
||||
ObjectMeta: objectMeta(config.ValidatingWebhookConfigurationName, cfg.GetWebhookAnnotations(), c.buildOwner()...),
|
||||
Webhooks: []admissionregistrationv1.ValidatingWebhook{{
|
||||
Name: config.ValidatingWebhookName + "-ignore",
|
||||
ClientConfig: c.clientConfig(caBundle, config.ValidatingWebhookServicePath+"/ignore"),
|
||||
|
|
@ -717,9 +718,9 @@ func (c *controller) buildDefaultResourceValidatingWebhookConfiguration(caBundle
|
|||
nil
|
||||
}
|
||||
|
||||
func (c *controller) buildResourceValidatingWebhookConfiguration(caBundle []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
|
||||
func (c *controller) buildResourceValidatingWebhookConfiguration(cfg config.Configuration, caBundle []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
|
||||
result := admissionregistrationv1.ValidatingWebhookConfiguration{
|
||||
ObjectMeta: objectMeta(config.ValidatingWebhookConfigurationName, c.buildOwner()...),
|
||||
ObjectMeta: objectMeta(config.ValidatingWebhookConfigurationName, cfg.GetWebhookAnnotations(), c.buildOwner()...),
|
||||
Webhooks: []admissionregistrationv1.ValidatingWebhook{},
|
||||
}
|
||||
if c.watchdogCheck() {
|
||||
|
|
@ -740,7 +741,6 @@ func (c *controller) buildResourceValidatingWebhookConfiguration(caBundle []byte
|
|||
}
|
||||
}
|
||||
}
|
||||
cfg := c.loadConfig()
|
||||
webhookCfg := config.WebhookConfig{}
|
||||
webhookCfgs := cfg.GetWebhooks()
|
||||
if len(webhookCfgs) > 0 {
|
||||
|
|
|
|||
|
|
@ -85,12 +85,13 @@ func (wh *webhook) isEmpty() bool {
|
|||
return len(wh.rules) == 0
|
||||
}
|
||||
|
||||
func objectMeta(name string, owner ...metav1.OwnerReference) metav1.ObjectMeta {
|
||||
func objectMeta(name string, annotations map[string]string, owner ...metav1.OwnerReference) metav1.ObjectMeta {
|
||||
return metav1.ObjectMeta{
|
||||
Name: name,
|
||||
Labels: map[string]string{
|
||||
utils.ManagedByLabel: kyvernov1.ValueKyvernoApp,
|
||||
},
|
||||
Annotations: annotations,
|
||||
OwnerReferences: owner,
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue