mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
refactor: webhooks server logger (#3904)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
97cf1b3e95
commit
a5e623f939
3 changed files with 29 additions and 50 deletions
|
|
@ -42,26 +42,14 @@ func errorResponse(logger logr.Logger, err error, message string) *admissionv1.A
|
|||
return admissionutils.ResponseFailure(false, message+": "+err.Error())
|
||||
}
|
||||
|
||||
func setupLogger(logger logr.Logger, name string, request *admissionv1.AdmissionRequest) logr.Logger {
|
||||
return logger.WithName(name).WithValues(
|
||||
"uid", request.UID,
|
||||
"kind", request.Kind,
|
||||
"namespace", request.Namespace,
|
||||
"name", request.Name,
|
||||
"operation", request.Operation,
|
||||
"gvk", request.Kind.String(),
|
||||
)
|
||||
}
|
||||
|
||||
func (ws *WebhookServer) admissionHandler(filter bool, inner handlers.AdmissionHandler) http.HandlerFunc {
|
||||
func (ws *WebhookServer) admissionHandler(logger logr.Logger, filter bool, inner handlers.AdmissionHandler) http.HandlerFunc {
|
||||
if filter {
|
||||
inner = handlers.Filter(ws.configHandler, inner)
|
||||
inner = handlers.Filter(ws.configuration, inner)
|
||||
}
|
||||
return handlers.Monitor(ws.webhookMonitor, handlers.Admission(ws.log.WithName("handlerFunc"), inner))
|
||||
return handlers.Monitor(ws.webhookMonitor, handlers.Admission(logger, inner))
|
||||
}
|
||||
|
||||
func (ws *WebhookServer) policyMutation(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
||||
logger := setupLogger(ws.log, "PolicyMutationWebhook", request)
|
||||
func (ws *WebhookServer) policyMutation(logger logr.Logger, request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
||||
policy, oldPolicy, err := admissionutils.GetPolicies(request)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to unmarshal policies from admission request")
|
||||
|
|
@ -86,8 +74,7 @@ func (ws *WebhookServer) policyMutation(request *admissionv1.AdmissionRequest) *
|
|||
}
|
||||
|
||||
//policyValidation performs the validation check on policy resource
|
||||
func (ws *WebhookServer) policyValidation(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
||||
logger := setupLogger(ws.log, "PolicyValidationWebhook", request)
|
||||
func (ws *WebhookServer) policyValidation(logger logr.Logger, request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
||||
policy, oldPolicy, err := admissionutils.GetPolicies(request)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to unmarshal policies from admission request")
|
||||
|
|
@ -117,8 +104,7 @@ func (ws *WebhookServer) policyValidation(request *admissionv1.AdmissionRequest)
|
|||
}
|
||||
|
||||
// resourceMutation mutates resource
|
||||
func (ws *WebhookServer) resourceMutation(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
||||
logger := setupLogger(ws.log, "ResourceMutationWebhook", request)
|
||||
func (ws *WebhookServer) resourceMutation(logger logr.Logger, request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
||||
if excludeKyvernoResources(request.Kind.Kind) {
|
||||
return admissionutils.ResponseSuccess(true, "")
|
||||
}
|
||||
|
|
@ -174,8 +160,7 @@ func (ws *WebhookServer) resourceMutation(request *admissionv1.AdmissionRequest)
|
|||
return admissionutils.ResponseSuccessWithPatch(true, "", patches)
|
||||
}
|
||||
|
||||
func (ws *WebhookServer) resourceValidation(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
||||
logger := setupLogger(ws.log, "ResourceValidationWebhook", request)
|
||||
func (ws *WebhookServer) resourceValidation(logger logr.Logger, request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
||||
if request.Operation == admissionv1.Delete {
|
||||
ws.handleDelete(request)
|
||||
}
|
||||
|
|
@ -210,7 +195,7 @@ func (ws *WebhookServer) resourceValidation(request *admissionv1.AdmissionReques
|
|||
var roles, clusterRoles []string
|
||||
if containsRBACInfo(policies, generatePolicies) {
|
||||
var err error
|
||||
roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request, ws.configHandler)
|
||||
roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request, ws.configuration)
|
||||
if err != nil {
|
||||
return errorResponse(logger, err, "failed to fetch RBAC data")
|
||||
}
|
||||
|
|
@ -245,8 +230,8 @@ func (ws *WebhookServer) resourceValidation(request *admissionv1.AdmissionReques
|
|||
NewResource: newResource,
|
||||
OldResource: oldResource,
|
||||
AdmissionInfo: userRequestInfo,
|
||||
ExcludeGroupRole: ws.configHandler.GetExcludeGroupRole(),
|
||||
ExcludeResourceFunc: ws.configHandler.ToFilter,
|
||||
ExcludeGroupRole: ws.configuration.GetExcludeGroupRole(),
|
||||
ExcludeResourceFunc: ws.configuration.ToFilter,
|
||||
JSONContext: ctx,
|
||||
Client: ws.client,
|
||||
AdmissionOperation: true,
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import (
|
|||
admissionv1 "k8s.io/api/admission/v1"
|
||||
)
|
||||
|
||||
type AdmissionHandler func(*admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse
|
||||
type AdmissionHandler func(logr.Logger, *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse
|
||||
|
||||
func Admission(logger logr.Logger, inner AdmissionHandler) http.HandlerFunc {
|
||||
return func(writer http.ResponseWriter, request *http.Request) {
|
||||
|
|
@ -43,7 +43,7 @@ func Admission(logger logr.Logger, inner AdmissionHandler) http.HandlerFunc {
|
|||
http.Error(writer, "Can't decode body as AdmissionReview", http.StatusExpectationFailed)
|
||||
return
|
||||
}
|
||||
logger = logger.WithValues(
|
||||
logger := logger.WithValues(
|
||||
"kind", admissionReview.Request.Kind,
|
||||
"namespace", admissionReview.Request.Namespace,
|
||||
"name", admissionReview.Request.Name,
|
||||
|
|
@ -54,7 +54,7 @@ func Admission(logger logr.Logger, inner AdmissionHandler) http.HandlerFunc {
|
|||
Allowed: true,
|
||||
UID: admissionReview.Request.UID,
|
||||
}
|
||||
adminssionResponse := inner(admissionReview.Request)
|
||||
adminssionResponse := inner(logger, admissionReview.Request)
|
||||
if adminssionResponse != nil {
|
||||
admissionReview.Response = adminssionResponse
|
||||
}
|
||||
|
|
@ -67,7 +67,6 @@ func Admission(logger logr.Logger, inner AdmissionHandler) http.HandlerFunc {
|
|||
if _, err := writer.Write(responseJSON); err != nil {
|
||||
http.Error(writer, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)
|
||||
}
|
||||
|
||||
if admissionReview.Request.Kind.Kind == "Lease" {
|
||||
logger.V(6).Info("admission review request processed", "time", time.Since(startTime).String())
|
||||
} else {
|
||||
|
|
@ -77,24 +76,16 @@ func Admission(logger logr.Logger, inner AdmissionHandler) http.HandlerFunc {
|
|||
}
|
||||
|
||||
func Filter(c config.Configuration, inner AdmissionHandler) AdmissionHandler {
|
||||
return func(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
||||
return func(logger logr.Logger, request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
||||
if c.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
|
||||
return nil
|
||||
}
|
||||
return inner(request)
|
||||
return inner(logger, request)
|
||||
}
|
||||
}
|
||||
|
||||
func Verify(m *webhookconfig.Monitor, logger logr.Logger) AdmissionHandler {
|
||||
return func(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
||||
logger = logger.WithValues(
|
||||
"action", "verify",
|
||||
"kind", request.Kind,
|
||||
"namespace", request.Namespace,
|
||||
"name", request.Name,
|
||||
"operation", request.Operation,
|
||||
"gvk", request.Kind.String(),
|
||||
)
|
||||
return func(logger logr.Logger, request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
||||
logger.V(6).Info("incoming request", "last admission request timestamp", m.Time())
|
||||
return admissionutils.Response(true)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -64,7 +64,7 @@ type WebhookServer struct {
|
|||
webhookRegister *webhookconfig.Register
|
||||
|
||||
// helpers to validate against current loaded configuration
|
||||
configHandler config.Configuration
|
||||
configuration config.Configuration
|
||||
|
||||
// channel for cleanup notification
|
||||
cleanUp chan<- struct{}
|
||||
|
|
@ -133,7 +133,7 @@ func NewWebhookServer(
|
|||
eventGen: eventGen,
|
||||
pCache: pCache,
|
||||
webhookRegister: webhookRegistrationClient,
|
||||
configHandler: configHandler,
|
||||
configuration: configHandler,
|
||||
cleanUp: cleanUp,
|
||||
webhookMonitor: webhookMonitor,
|
||||
prGenerator: prGenerator,
|
||||
|
|
@ -145,11 +145,14 @@ func NewWebhookServer(
|
|||
promConfig: promConfig,
|
||||
}
|
||||
mux := httprouter.New()
|
||||
mux.HandlerFunc("POST", config.MutatingWebhookServicePath, ws.admissionHandler(true, ws.resourceMutation))
|
||||
mux.HandlerFunc("POST", config.ValidatingWebhookServicePath, ws.admissionHandler(true, ws.resourceValidation))
|
||||
mux.HandlerFunc("POST", config.PolicyMutatingWebhookServicePath, ws.admissionHandler(true, ws.policyMutation))
|
||||
mux.HandlerFunc("POST", config.PolicyValidatingWebhookServicePath, ws.admissionHandler(true, ws.policyValidation))
|
||||
mux.HandlerFunc("POST", config.VerifyMutatingWebhookServicePath, ws.admissionHandler(false, handlers.Verify(ws.webhookMonitor, ws.log.WithName("verifyHandler"))))
|
||||
resourceLogger := ws.log.WithName("resource")
|
||||
policyLogger := ws.log.WithName("policy")
|
||||
verifyLogger := ws.log.WithName("verify")
|
||||
mux.HandlerFunc("POST", config.MutatingWebhookServicePath, ws.admissionHandler(resourceLogger.WithName("mutate"), true, ws.resourceMutation))
|
||||
mux.HandlerFunc("POST", config.ValidatingWebhookServicePath, ws.admissionHandler(resourceLogger.WithName("validate"), true, ws.resourceValidation))
|
||||
mux.HandlerFunc("POST", config.PolicyMutatingWebhookServicePath, ws.admissionHandler(policyLogger.WithName("mutate"), true, ws.policyMutation))
|
||||
mux.HandlerFunc("POST", config.PolicyValidatingWebhookServicePath, ws.admissionHandler(policyLogger.WithName("validate"), true, ws.policyValidation))
|
||||
mux.HandlerFunc("POST", config.VerifyMutatingWebhookServicePath, ws.admissionHandler(verifyLogger.WithName("mutate"), false, handlers.Verify(ws.webhookMonitor, ws.log.WithName("verifyHandler"))))
|
||||
mux.HandlerFunc("GET", config.LivenessServicePath, handlers.Probe(ws.webhookRegister.Check))
|
||||
mux.HandlerFunc("GET", config.ReadinessServicePath, handlers.Probe(nil))
|
||||
ws.server = &http.Server{
|
||||
|
|
@ -182,7 +185,7 @@ func (ws *WebhookServer) buildPolicyContext(request *admissionv1.AdmissionReques
|
|||
|
||||
if addRoles {
|
||||
var err error
|
||||
userRequestInfo.Roles, userRequestInfo.ClusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request, ws.configHandler)
|
||||
userRequestInfo.Roles, userRequestInfo.ClusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request, ws.configuration)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "failed to fetch RBAC information for request")
|
||||
}
|
||||
|
|
@ -205,8 +208,8 @@ func (ws *WebhookServer) buildPolicyContext(request *admissionv1.AdmissionReques
|
|||
policyContext := &engine.PolicyContext{
|
||||
NewResource: resource,
|
||||
AdmissionInfo: userRequestInfo,
|
||||
ExcludeGroupRole: ws.configHandler.GetExcludeGroupRole(),
|
||||
ExcludeResourceFunc: ws.configHandler.ToFilter,
|
||||
ExcludeGroupRole: ws.configuration.GetExcludeGroupRole(),
|
||||
ExcludeResourceFunc: ws.configuration.ToFilter,
|
||||
JSONContext: ctx,
|
||||
Client: ws.client,
|
||||
AdmissionOperation: true,
|
||||
|
|
|
|||
Loading…
Reference in a new issue