diff --git a/definitions/install_profiling.yaml b/definitions/install_custom_args.yaml similarity index 96% rename from definitions/install_profiling.yaml rename to definitions/install_custom_args.yaml index e4cd43a6e4..e45d41294e 100644 --- a/definitions/install_profiling.yaml +++ b/definitions/install_custom_args.yaml @@ -227,8 +227,11 @@ spec: containers: - name: kyverno image: nirmata/kyverno:latest + args: + - "--webhooktimeout=4" # open one of the profiling flag here - args: ["--cpu=true", "--filterK8Resources","[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*]Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"] + - "--cpu=true" + - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*]Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]" ports: - containerPort: 443 securityContext: diff --git a/main.go b/main.go index 75c9b8e2c4..32847e7bc2 100644 --- a/main.go +++ b/main.go @@ -23,6 +23,7 @@ var ( filterK8Resources string cpu bool memory bool + webhookTimeout int ) func main() { @@ -66,7 +67,7 @@ func main() { glog.Fatalf("Unable to create webhook server: %v\n", err) } - webhookRegistrationClient, err := webhooks.NewWebhookRegistrationClient(clientConfig, client, serverIP) + webhookRegistrationClient, err := webhooks.NewWebhookRegistrationClient(clientConfig, client, serverIP, int32(webhookTimeout)) if err != nil { glog.Fatalf("Unable to register admission webhooks on cluster: %v\n", err) } @@ -105,6 +106,7 @@ func init() { flag.BoolVar(&cpu, "cpu", false, "cpu profilling feature gate, default to false || cpu and memory profiling cannot be enabled at the same time") flag.BoolVar(&memory, "memory", false, "memory profilling feature gate, default to false || cpu and memory profiling cannot be enabled at the same time") + flag.IntVar(&webhookTimeout, "webhooktimeout", 2, "timeout for webhook configurations") flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.") flag.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.") flag.StringVar(&filterK8Resources, "filterK8Resources", "", "k8 resource in format [kind,namespace,name] where policy is not evaluated by the admission webhook. example --filterKind \"[Deployment, kyverno, kyverno]\" --filterKind \"[Deployment, kyverno, kyverno],[Events, *, *]\"") diff --git a/pkg/webhooks/registration.go b/pkg/webhooks/registration.go index 4f7a239204..d7384dffa8 100644 --- a/pkg/webhooks/registration.go +++ b/pkg/webhooks/registration.go @@ -17,20 +17,18 @@ import ( rest "k8s.io/client-go/rest" ) -// defaultWebhookTimeout = 2s -var defaultWebhookTimeout = int32(2) - // WebhookRegistrationClient is client for registration webhooks on cluster type WebhookRegistrationClient struct { registrationClient *admregclient.AdmissionregistrationV1beta1Client client *client.Client clientConfig *rest.Config // serverIP should be used if running Kyverno out of clutser - serverIP string + serverIP string + timeoutSeconds int32 } // NewWebhookRegistrationClient creates new WebhookRegistrationClient instance -func NewWebhookRegistrationClient(clientConfig *rest.Config, client *client.Client, serverIP string) (*WebhookRegistrationClient, error) { +func NewWebhookRegistrationClient(clientConfig *rest.Config, client *client.Client, serverIP string, webhookTimeout int32) (*WebhookRegistrationClient, error) { registrationClient, err := admregclient.NewForConfig(clientConfig) if err != nil { return nil, err @@ -43,6 +41,7 @@ func NewWebhookRegistrationClient(clientConfig *rest.Config, client *client.Clie client: client, clientConfig: clientConfig, serverIP: serverIP, + timeoutSeconds: webhookTimeout, }, nil } @@ -145,7 +144,9 @@ func (wrc *WebhookRegistrationClient) constructMutatingWebhookConfig(configurati config.MutatingWebhookName, config.MutatingWebhookServicePath, caData, - false), + false, + wrc.timeoutSeconds, + ), }, }, nil } @@ -164,7 +165,8 @@ func (wrc *WebhookRegistrationClient) contructDebugMutatingWebhookConfig(caData config.MutatingWebhookName, url, caData, - false), + false, + wrc.timeoutSeconds), }, } } @@ -198,7 +200,8 @@ func (wrc *WebhookRegistrationClient) constructValidatingWebhookConfig(configura config.ValidatingWebhookName, config.ValidatingWebhookServicePath, caData, - true), + true, + wrc.timeoutSeconds), }, }, nil } @@ -217,7 +220,8 @@ func (wrc *WebhookRegistrationClient) contructDebugValidatingWebhookConfig(caDat config.ValidatingWebhookName, url, caData, - true), + true, + wrc.timeoutSeconds), }, } } @@ -251,7 +255,8 @@ func (wrc *WebhookRegistrationClient) contructPolicyValidatingWebhookConfig() (* config.PolicyValidatingWebhookName, config.PolicyValidatingWebhookServicePath, caData, - true), + true, + wrc.timeoutSeconds), }, }, nil } @@ -270,12 +275,13 @@ func (wrc *WebhookRegistrationClient) contructDebugPolicyValidatingWebhookConfig config.PolicyValidatingWebhookName, url, caData, - true), + true, + wrc.timeoutSeconds), }, } } -func constructWebhook(name, servicePath string, caData []byte, validation bool) admregapi.Webhook { +func constructWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32) admregapi.Webhook { resource := "*/*" apiGroups := "*" apiversions := "*" @@ -320,11 +326,11 @@ func constructWebhook(name, servicePath string, caData []byte, validation bool) }, }, }, - TimeoutSeconds: &defaultWebhookTimeout, + TimeoutSeconds: &timeoutSeconds, } } -func constructDebugWebhook(name, url string, caData []byte, validation bool) admregapi.Webhook { +func constructDebugWebhook(name, url string, caData []byte, validation bool, timeoutSeconds int32) admregapi.Webhook { resource := "*/*" apiGroups := "*" apiversions := "*" @@ -365,7 +371,7 @@ func constructDebugWebhook(name, url string, caData []byte, validation bool) adm }, }, }, - TimeoutSeconds: &defaultWebhookTimeout, + TimeoutSeconds: &timeoutSeconds, } }