refer informer cache in policy controller for mutatingwebhookconfigs

2025-03-31 03:45:17 +00:00 · 2019-11-15 14:01:40 -08:00 · 2019-11-15 14:01:40 -08:00 · a315c22e2f
commit a315c22e2f
parent 54744151b2
7 changed files with 89 additions and 67 deletions
--- a/main.go
+++ b/main.go
@ -74,10 +74,7 @@ func main() {
 	}

 	// WERBHOOK REGISTRATION CLIENT
-	webhookRegistrationClient, err := webhookconfig.NewWebhookRegistrationClient(clientConfig, client, serverIP, int32(webhookTimeout))
-	if err != nil {
-		glog.Fatalf("Unable to register admission webhooks on cluster: %v\n", err)
-	}
+	webhookRegistrationClient := webhookconfig.NewWebhookRegistrationClient(clientConfig, client, serverIP, int32(webhookTimeout))

 	// KYVERNO CRD INFORMER
 	// watches CRD resources:
@ -90,7 +87,6 @@ func main() {
 	// watches namespace resource
 	// - cache resync time: 10 seconds
 	kubeInformer := kubeinformers.NewSharedInformerFactoryWithOptions(kubeClient, 10*time.Second)
-
 	// Configuration Data
 	// dyamically load the configuration from configMap
 	// - resource filters
@ -113,7 +109,17 @@ func main() {
 	// - process policy on existing resources
 	// - status aggregator: recieves stats when a policy is applied
 	//					    & updates the policy status
-	pc, err := policy.NewPolicyController(pclient, client, pInformer.Kyverno().V1().ClusterPolicies(), pInformer.Kyverno().V1().ClusterPolicyViolations(), pInformer.Kyverno().V1().NamespacedPolicyViolations(), egen, kubeInformer.Admissionregistration().V1beta1().MutatingWebhookConfigurations(), webhookRegistrationClient, configData, pvgen, policyMetaStore)
+	pc, err := policy.NewPolicyController(pclient,
+		client,
+		pInformer.Kyverno().V1().ClusterPolicies(),
+		pInformer.Kyverno().V1().ClusterPolicyViolations(),
+		pInformer.Kyverno().V1().NamespacedPolicyViolations(),
+		kubeInformer.Admissionregistration().V1beta1().MutatingWebhookConfigurations(),
+		webhookRegistrationClient,
+		configData,
+		egen,
+		pvgen,
+		policyMetaStore)
 	if err != nil {
 		glog.Fatalf("error creating policy controller: %v\n", err)
 	}
--- a/pkg/policy/controller.go
+++ b/pkg/policy/controller.go
@ -28,9 +28,9 @@ import (
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
-	webhookinformer "k8s.io/client-go/informers/admissionregistration/v1beta1"
+	mconfiginformer "k8s.io/client-go/informers/admissionregistration/v1beta1"
 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
-	webhooklister "k8s.io/client-go/listers/admissionregistration/v1beta1"
+	mconfiglister "k8s.io/client-go/listers/admissionregistration/v1beta1"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/workqueue"
@ -71,10 +71,12 @@ type PolicyController struct {
 	pListerSynced cache.InformerSynced
 	// pvListerSynced returns true if the Policy store has been synced at least once
 	pvListerSynced cache.InformerSynced
-	// pvListerSynced returns true if the Policy store has been synced at least once
+	// pvListerSynced returns true if the Policy Violation store has been synced at least once
 	nspvListerSynced cache.InformerSynced
-	// mutationwebhookLister can list/get mutatingwebhookconfigurations
-	mutationwebhookLister webhooklister.MutatingWebhookConfigurationLister
+	// mwebhookconfigSynced returns true if the Mutating Webhook Config store has been synced at least once
+	mwebhookconfigSynced cache.InformerSynced
+	// list/get mutatingwebhookconfigurations
+	mWebhookConfigLister mconfiglister.MutatingWebhookConfigurationLister
 	// WebhookRegistrationClient
 	webhookRegistrationClient *webhookconfig.WebhookRegistrationClient
 	// Resource manager, manages the mapping for already processed resource
@ -90,10 +92,15 @@ type PolicyController struct {
 }

 // NewPolicyController create a new PolicyController
-func NewPolicyController(kyvernoClient *kyvernoclient.Clientset, client *client.Client, pInformer kyvernoinformer.ClusterPolicyInformer,
-	pvInformer kyvernoinformer.ClusterPolicyViolationInformer, nspvInformer kyvernoinformer.NamespacedPolicyViolationInformer,
-	eventGen event.Interface, webhookInformer webhookinformer.MutatingWebhookConfigurationInformer,
-	webhookRegistrationClient *webhookconfig.WebhookRegistrationClient, configHandler config.Interface,
+func NewPolicyController(kyvernoClient *kyvernoclient.Clientset,
+	client *client.Client,
+	pInformer kyvernoinformer.ClusterPolicyInformer,
+	pvInformer kyvernoinformer.ClusterPolicyViolationInformer,
+	nspvInformer kyvernoinformer.NamespacedPolicyViolationInformer,
+	mconfigwebhookinformer mconfiginformer.MutatingWebhookConfigurationInformer,
+	webhookRegistrationClient *webhookconfig.WebhookRegistrationClient,
+	configHandler config.Interface,
+	eventGen event.Interface,
 	pvGenerator policyviolation.GeneratorInterface,
 	pMetaStore policystore.UpdateInterface) (*PolicyController, error) {
 	// Event broad caster
@ -147,9 +154,8 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset, client *client.
 	pc.pListerSynced = pInformer.Informer().HasSynced
 	pc.pvListerSynced = pvInformer.Informer().HasSynced
 	pc.nspvListerSynced = nspvInformer.Informer().HasSynced
-
-	pc.mutationwebhookLister = webhookInformer.Lister()
-
+	pc.mwebhookconfigSynced = mconfigwebhookinformer.Informer().HasSynced
+	pc.mWebhookConfigLister = mconfigwebhookinformer.Lister()
 	// resource manager
 	// rebuild after 300 seconds/ 5 mins
 	//TODO: pass the time in seconds instead of converting it internally
@ -394,7 +400,7 @@ func (pc *PolicyController) Run(workers int, stopCh <-chan struct{}) {
 	glog.Info("Starting policy controller")
 	defer glog.Info("Shutting down policy controller")

-	if !cache.WaitForCacheSync(stopCh, pc.pListerSynced, pc.pvListerSynced, pc.nspvListerSynced) {
+	if !cache.WaitForCacheSync(stopCh, pc.pListerSynced, pc.pvListerSynced, pc.nspvListerSynced, pc.mwebhookconfigSynced) {
 		return
 	}
 	for i := 0; i < workers; i++ {
--- a/pkg/policy/webhookregistration.go
+++ b/pkg/policy/webhookregistration.go
@ -9,6 +9,17 @@ import (
 func (pc *PolicyController) removeResourceWebhookConfiguration() error {
 	removeWebhookConfig := func() error {
 		var err error
+		// check informer cache
+		configName := pc.webhookRegistrationClient.GetResourceMutatingWebhookConfigName()
+		config, err := pc.mWebhookConfigLister.Get(configName)
+		if err != nil {
+			glog.V(4).Infof("failed to list mutating webhook config: %v", err)
+			return err
+		}
+		if config == nil {
+			// as no resource is found
+			return nil
+		}
 		err = pc.webhookRegistrationClient.RemoveResourceMutatingWebhookConfiguration()
 		if err != nil {
 			return err
@ -30,7 +41,7 @@ func (pc *PolicyController) removeResourceWebhookConfiguration() error {
 		return removeWebhookConfig()
 	}

-	// if there are policies, check if they contain mutating or validating rule
+	// if polices only have generate rules, we dont need the webhook
 	if !hasMutateOrValidatePolicies(policies) {
 		glog.V(4).Info("no policies with mutating or validating webhook configurations, remove resource webhook configuration if one exists")
 		return removeWebhookConfig()
@ -42,6 +53,17 @@ func (pc *PolicyController) removeResourceWebhookConfiguration() error {
 func (pc *PolicyController) createResourceMutatingWebhookConfigurationIfRequired(policy kyverno.ClusterPolicy) error {
 	// if the policy contains mutating & validation rules and it config does not exist we create one
 	if policy.HasMutateOrValidate() {
+		// check cache
+		configName := pc.webhookRegistrationClient.GetResourceMutatingWebhookConfigName()
+		config, err := pc.mWebhookConfigLister.Get(configName)
+		if err != nil {
+			glog.V(4).Infof("failed to list mutating webhook configuration: %v", err)
+			return err
+		}
+		if config != nil {
+			// mutating webhoook configuration already exists
+			return nil
+		}
 		if err := pc.webhookRegistrationClient.CreateResourceMutatingWebhookConfiguration(); err != nil {
 			return err
 		}
--- a/pkg/webhookconfig/checker.go
+++ b/pkg/webhookconfig/checker.go
@ -67,7 +67,7 @@ func (wrc *WebhookRegistrationClient) removeVerifyWebhookMutatingWebhookConfig()
 		mutatingConfig = config.VerifyMutatingWebhookConfigurationName
 	}
 	glog.V(4).Infof("removing webhook configuration %s", mutatingConfig)
-	err = wrc.registrationClient.MutatingWebhookConfigurations().Delete(mutatingConfig, &v1.DeleteOptions{})
+	err = wrc.client.DeleteResouce(MutatingWebhookConfigurationKind, "", mutatingConfig, false)
 	if errorsapi.IsNotFound(err) {
 		glog.V(4).Infof("verify webhook configuration %s, does not exits. not deleting", mutatingConfig)
 	} else if err != nil {
--- a/pkg/webhookconfig/policy.go
+++ b/pkg/webhookconfig/policy.go
@ -118,7 +118,7 @@ func (wrc *WebhookRegistrationClient) removePolicyWebhookConfigurations() {
 		validatingConfig = config.PolicyValidatingWebhookConfigurationName
 	}
 	glog.V(4).Infof("removing webhook configuration %s", validatingConfig)
-	err = wrc.registrationClient.ValidatingWebhookConfigurations().Delete(validatingConfig, &v1.DeleteOptions{})
+	err = wrc.client.DeleteResouce(ValidatingWebhookConfigurationKind, "", validatingConfig, false)
 	if errorsapi.IsNotFound(err) {
 		glog.V(4).Infof("policy webhook configuration %s, does not exits. not deleting", validatingConfig)
 	} else if err != nil {
@ -136,7 +136,7 @@ func (wrc *WebhookRegistrationClient) removePolicyWebhookConfigurations() {
 	}

 	glog.V(4).Infof("removing webhook configuration %s", mutatingConfig)
-	err = wrc.registrationClient.MutatingWebhookConfigurations().Delete(mutatingConfig, &v1.DeleteOptions{})
+	err = wrc.client.DeleteResouce(MutatingWebhookConfigurationKind, "", mutatingConfig, false)
 	if errorsapi.IsNotFound(err) {
 		glog.V(4).Infof("policy webhook configuration %s, does not exits. not deleting", mutatingConfig)
 	} else if err != nil {
--- a/pkg/webhookconfig/registration.go
+++ b/pkg/webhookconfig/registration.go
@ -5,41 +5,38 @@ import (
 	"time"

 	"github.com/golang/glog"
-	"github.com/nirmata/kyverno/pkg/config"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	admregapi "k8s.io/api/admissionregistration/v1beta1"
 	errorsapi "k8s.io/apimachinery/pkg/api/errors"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	admregclient "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1"
 	rest "k8s.io/client-go/rest"
 )

+const (
+	MutatingWebhookConfigurationKind   string = "MutatingWebhookConfiguration"
+	ValidatingWebhookConfigurationKind string = "ValidatingWebhookConfiguration"
+)
+
 // WebhookRegistrationClient is client for registration webhooks on cluster
 type WebhookRegistrationClient struct {
-	registrationClient *admregclient.AdmissionregistrationV1beta1Client
-	client             *client.Client
-	clientConfig       *rest.Config
+	client       *client.Client
+	clientConfig *rest.Config
 	// serverIP should be used if running Kyverno out of clutser
 	serverIP       string
 	timeoutSeconds int32
 }

 // NewWebhookRegistrationClient creates new WebhookRegistrationClient instance
-func NewWebhookRegistrationClient(clientConfig *rest.Config, client *client.Client, serverIP string, webhookTimeout int32) (*WebhookRegistrationClient, error) {
-	registrationClient, err := admregclient.NewForConfig(clientConfig)
-	if err != nil {
-		return nil, err
-	}
-
-	glog.V(4).Infof("Registering webhook client using serverIP %s\n", serverIP)
-
+func NewWebhookRegistrationClient(
+	clientConfig *rest.Config,
+	client *client.Client,
+	serverIP string,
+	webhookTimeout int32) *WebhookRegistrationClient {
 	return &WebhookRegistrationClient{
-		registrationClient: registrationClient,
-		client:             client,
-		clientConfig:       clientConfig,
-		serverIP:           serverIP,
-		timeoutSeconds:     webhookTimeout,
-	}, nil
+		clientConfig:   clientConfig,
+		client:         client,
+		serverIP:       serverIP,
+		timeoutSeconds: webhookTimeout,
+	}
 }

 // Register creates admission webhooks configs on cluster
@ -105,8 +102,7 @@ func (wrc *WebhookRegistrationClient) CreateResourceMutatingWebhookConfiguration
 		// clientConfig - service
 		config = wrc.constructMutatingWebhookConfig(caData)
 	}
-
-	_, err := wrc.registrationClient.MutatingWebhookConfigurations().Create(config)
+	_, err := wrc.client.CreateResource(MutatingWebhookConfigurationKind, "", *config, false)
 	if errorsapi.IsAlreadyExists(err) {
 		glog.V(4).Infof("resource mutating webhook configuration %s, already exists. not creating one", config.Name)
 		return nil
@ -118,18 +114,6 @@ func (wrc *WebhookRegistrationClient) CreateResourceMutatingWebhookConfiguration
 	return nil
 }

-//GetResourceMutatingWebhookConfiguration returns the MutatingWebhookConfiguration
-func (wrc *WebhookRegistrationClient) GetResourceMutatingWebhookConfiguration() (*admregapi.MutatingWebhookConfiguration, error) {
-	var name string
-	if wrc.serverIP != "" {
-		name = config.MutatingWebhookConfigurationDebugName
-	} else {
-		name = config.MutatingWebhookConfigurationName
-	}
-
-	return wrc.registrationClient.MutatingWebhookConfigurations().Get(name, v1.GetOptions{})
-}
-
 //registerPolicyValidatingWebhookConfiguration create a Validating webhook configuration for Policy CRD
 func (wrc *WebhookRegistrationClient) createPolicyValidatingWebhookConfiguration() error {
 	var caData []byte
@ -153,7 +137,7 @@ func (wrc *WebhookRegistrationClient) createPolicyValidatingWebhookConfiguration
 	}

 	// create validating webhook configuration resource
-	if _, err := wrc.registrationClient.ValidatingWebhookConfigurations().Create(config); err != nil {
+	if _, err := wrc.client.CreateResource(ValidatingWebhookConfigurationKind, "", *config, false); err != nil {
 		return err
 	}

@ -183,7 +167,7 @@ func (wrc *WebhookRegistrationClient) createPolicyMutatingWebhookConfiguration()
 	}

 	// create mutating webhook configuration resource
-	if _, err := wrc.registrationClient.MutatingWebhookConfigurations().Create(config); err != nil {
+	if _, err := wrc.client.CreateResource(MutatingWebhookConfigurationKind, "", *config, false); err != nil {
 		return err
 	}

@ -213,7 +197,7 @@ func (wrc *WebhookRegistrationClient) createVerifyMutatingWebhookConfiguration()
 	}

 	// create mutating webhook configuration resource
-	if _, err := wrc.registrationClient.MutatingWebhookConfigurations().Create(config); err != nil {
+	if _, err := wrc.client.CreateResource(MutatingWebhookConfigurationKind, "", *config, false); err != nil {
 		return err
 	}

--- a/pkg/webhookconfig/resource.go
+++ b/pkg/webhookconfig/resource.go
@ -58,16 +58,20 @@ func (wrc *WebhookRegistrationClient) constructMutatingWebhookConfig(caData []by
 	}
 }

+//GetResourceMutatingWebhookConfigName provi
+func (wrc *WebhookRegistrationClient) GetResourceMutatingWebhookConfigName() string {
+	if wrc.serverIP != "" {
+		return config.MutatingWebhookConfigurationDebugName
+	}
+	return config.MutatingWebhookConfigurationName
+}
+
 //RemoveResourceMutatingWebhookConfiguration removes mutating webhook configuration for all resources
 func (wrc *WebhookRegistrationClient) RemoveResourceMutatingWebhookConfiguration() error {
-	var configName string
-	if wrc.serverIP != "" {
-		configName = config.MutatingWebhookConfigurationDebugName
-	} else {
-		configName = config.MutatingWebhookConfigurationName
-	}
+
+	configName := wrc.GetResourceMutatingWebhookConfigName()
 	// delete webhook configuration
-	err := wrc.registrationClient.MutatingWebhookConfigurations().Delete(configName, &v1.DeleteOptions{})
+	err := wrc.client.DeleteResouce(MutatingWebhookConfigurationKind, "", configName, false)
 	if errors.IsNotFound(err) {
 		glog.V(4).Infof("resource webhook configuration %s does not exits, so not deleting", configName)
 		return nil