expose webhook timeout configuration

definitions/install_custom_args.yaml

@@ -227,8 +227,11 @@ spec:
       containers:
         - name: kyverno
           image: nirmata/kyverno:latest
+          args: 
+          - "--webhooktimeout=4"
           # open one of the profiling flag here
-          args: ["--cpu=true", "--filterK8Resources","[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*]Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"]
+          - "--cpu=true"
+          - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*]Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
           ports:
           - containerPort: 443
           securityContext:

main.go

@@ -23,6 +23,7 @@ var (
 	filterK8Resources string
 	cpu               bool
 	memory            bool
+	webhookTimeout    int
 )
 
 func main() {
@@ -66,7 +67,7 @@ func main() {
 		glog.Fatalf("Unable to create webhook server: %v\n", err)
 	}
 
-	webhookRegistrationClient, err := webhooks.NewWebhookRegistrationClient(clientConfig, client, serverIP)
+	webhookRegistrationClient, err := webhooks.NewWebhookRegistrationClient(clientConfig, client, serverIP, int32(webhookTimeout))
 	if err != nil {
 		glog.Fatalf("Unable to register admission webhooks on cluster: %v\n", err)
 	}
@@ -105,6 +106,7 @@ func init() {
 	flag.BoolVar(&cpu, "cpu", false, "cpu profilling feature gate, default to false || cpu and memory profiling cannot be enabled at the same time")
 	flag.BoolVar(&memory, "memory", false, "memory profilling feature gate, default to false || cpu and memory profiling cannot be enabled at the same time")
 
+	flag.IntVar(&webhookTimeout, "webhooktimeout", 2, "timeout for webhook configurations")
 	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
 	flag.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.")
 	flag.StringVar(&filterK8Resources, "filterK8Resources", "", "k8 resource in format [kind,namespace,name] where policy is not evaluated by the admission webhook. example --filterKind \"[Deployment, kyverno, kyverno]\" --filterKind \"[Deployment, kyverno, kyverno],[Events, *, *]\"")

pkg/webhooks/registration.go

@@ -17,20 +17,18 @@ import (
 	rest "k8s.io/client-go/rest"
 )
 
-// defaultWebhookTimeout = 2s
-var defaultWebhookTimeout = int32(2)
-
 // WebhookRegistrationClient is client for registration webhooks on cluster
 type WebhookRegistrationClient struct {
 	registrationClient *admregclient.AdmissionregistrationV1beta1Client
 	client             *client.Client
 	clientConfig       *rest.Config
 	// serverIP should be used if running Kyverno out of clutser
-	serverIP string
+	serverIP       string
+	timeoutSeconds int32
 }
 
 // NewWebhookRegistrationClient creates new WebhookRegistrationClient instance
-func NewWebhookRegistrationClient(clientConfig *rest.Config, client *client.Client, serverIP string) (*WebhookRegistrationClient, error) {
+func NewWebhookRegistrationClient(clientConfig *rest.Config, client *client.Client, serverIP string, webhookTimeout int32) (*WebhookRegistrationClient, error) {
 	registrationClient, err := admregclient.NewForConfig(clientConfig)
 	if err != nil {
 		return nil, err
@@ -43,6 +41,7 @@ func NewWebhookRegistrationClient(clientConfig *rest.Config, client *client.Clie
 		client:             client,
 		clientConfig:       clientConfig,
 		serverIP:           serverIP,
+		timeoutSeconds:     webhookTimeout,
 	}, nil
 }
 
@@ -145,7 +144,9 @@ func (wrc *WebhookRegistrationClient) constructMutatingWebhookConfig(configurati
 				config.MutatingWebhookName,
 				config.MutatingWebhookServicePath,
 				caData,
-				false),
+				false,
+				wrc.timeoutSeconds,
+			),
 		},
 	}, nil
 }
@@ -164,7 +165,8 @@ func (wrc *WebhookRegistrationClient) contructDebugMutatingWebhookConfig(caData
 				config.MutatingWebhookName,
 				url,
 				caData,
-				false),
+				false,
+				wrc.timeoutSeconds),
 		},
 	}
 }
@@ -198,7 +200,8 @@ func (wrc *WebhookRegistrationClient) constructValidatingWebhookConfig(configura
 				config.ValidatingWebhookName,
 				config.ValidatingWebhookServicePath,
 				caData,
-				true),
+				true,
+				wrc.timeoutSeconds),
 		},
 	}, nil
 }
@@ -217,7 +220,8 @@ func (wrc *WebhookRegistrationClient) contructDebugValidatingWebhookConfig(caDat
 				config.ValidatingWebhookName,
 				url,
 				caData,
-				true),
+				true,
+				wrc.timeoutSeconds),
 		},
 	}
 }
@@ -251,7 +255,8 @@ func (wrc *WebhookRegistrationClient) contructPolicyValidatingWebhookConfig() (*
 				config.PolicyValidatingWebhookName,
 				config.PolicyValidatingWebhookServicePath,
 				caData,
-				true),
+				true,
+				wrc.timeoutSeconds),
 		},
 	}, nil
 }
@@ -270,12 +275,13 @@ func (wrc *WebhookRegistrationClient) contructDebugPolicyValidatingWebhookConfig
 				config.PolicyValidatingWebhookName,
 				url,
 				caData,
-				true),
+				true,
+				wrc.timeoutSeconds),
 		},
 	}
 }
 
-func constructWebhook(name, servicePath string, caData []byte, validation bool) admregapi.Webhook {
+func constructWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32) admregapi.Webhook {
 	resource := "*/*"
 	apiGroups := "*"
 	apiversions := "*"
@@ -320,11 +326,11 @@ func constructWebhook(name, servicePath string, caData []byte, validation bool)
 				},
 			},
 		},
-		TimeoutSeconds: &defaultWebhookTimeout,
+		TimeoutSeconds: &timeoutSeconds,
 	}
 }
 
-func constructDebugWebhook(name, url string, caData []byte, validation bool) admregapi.Webhook {
+func constructDebugWebhook(name, url string, caData []byte, validation bool, timeoutSeconds int32) admregapi.Webhook {
 	resource := "*/*"
 	apiGroups := "*"
 	apiversions := "*"
@@ -365,7 +371,7 @@ func constructDebugWebhook(name, url string, caData []byte, validation bool) adm
 				},
 			},
 		},
-		TimeoutSeconds: &defaultWebhookTimeout,
+		TimeoutSeconds: &timeoutSeconds,
 	}
 }