mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

fix: replace background sa name in config by a flag (#6790)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-04-05 13:50:29 +02:00 committed by GitHub
parent a188491091
commit a710cccb7a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 42 additions and 65 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
charts/kyverno/README.md
View file

@ -204,7 +204,6 @@ The command removes all the Kubernetes components associated with the chart and
| config.defaultRegistry | string | `"docker.io"` | The registry hostname used for the image mutation. |
| config.excludeGroups | list | `[]` | Exclude groups |
| config.excludeUsernames | list | `[]` | Exclude usernames |
| config.excludeBackgroundUsernames | list | `[]` | Exclude usernames for mutateExisting and generate policies |
| config.generateSuccessEvents | bool | `false` | Generate success events. |
| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
| config.webhooks | list | `[]` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |

1
charts/kyverno/templates/admission-controller/deployment.yaml
View file

@ -119,6 +119,7 @@ spec:
image: {{ include "kyverno.image" (dict "image" .Values.admissionController.container.image "defaultTag" .Chart.AppVersion) | quote }}
imagePullPolicy: {{ .Values.admissionController.container.image.pullPolicy }}
args:
- --backgroundServiceAccountName='system:serviceaccount:{{ include "kyverno.namespace" . }}:{{ include "kyverno.background-controller.serviceAccountName" . }}'
- --servicePort={{ .Values.admissionController.service.port }}
- --loggingFormat={{ .Values.admissionController.logging.format }}
{{- if .Values.admissionController.tracing.enabled }}

7
charts/kyverno/templates/config/configmap.yaml
View file

@ -28,13 +28,6 @@ data:
{{- with .Values.config.excludeClusterRoles }}
excludeClusterRoles: {{ join "," . | quote }}
{{- end -}}
{{- $backgroundUsernames := (printf "system:serviceaccount:%s:%s" (include "kyverno.namespace" .) (include "kyverno.background-controller.serviceAccountName" .)) }}
{{- if .Values.config.excludeBackgroundUsernames }}
{{- $backgroundUsernames = prepend .Values.config.excludeBackgroundUsernames $backgroundUsernames}}
excludeBackgroundUsernames: {{ join "," $backgroundUsernames | quote }}
{{- else }}
excludeBackgroundUsernames: {{ $backgroundUsernames }}
{{- end -}}
{{- if .Values.config.resourceFilters }}
resourceFilters: {{ include "kyverno.config.resourceFilters" . | quote }}
{{- end -}}

3
charts/kyverno/values.yaml
View file

@ -55,9 +55,6 @@ config:
# -- Exclude usernames
excludeUsernames: []
# -- Exclude usernames for mutateExisting and generate policies
excludeBackgroundUsernames: []
# -- Generate success events.
generateSuccessEvents: false

3
cmd/kyverno/main.go
View file

@ -231,6 +231,7 @@ func main() {
enablePolicyException bool
exceptionNamespace string
servicePort int
backgroundServiceAccountName string
)
flagset := flag.NewFlagSet("kyverno", flag.ExitOnError)
flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.")
@ -250,6 +251,7 @@ func main() {
flagset.StringVar(&exceptionNamespace, "exceptionNamespace", "", "Configure the namespace to accept PolicyExceptions.")
flagset.BoolVar(&enablePolicyException, "enablePolicyException", false, "Enable PolicyException feature.")
flagset.IntVar(&servicePort, "servicePort", 443, "Port used by the Kyverno Service resource and for webhook configurations.")
flagset.StringVar(&backgroundServiceAccountName, "backgroundServiceAccountName", "", "Background service account name.")
// config
appConfig := internal.NewConfiguration(
internal.WithProfiling(),
@ -518,6 +520,7 @@ func main() {
eventGenerator,
openApiManager,
admissionReports,
backgroundServiceAccountName,
)
exceptionHandlers := webhooksexception.NewHandlers(exception.ValidationOptions{
Enabled: enablePolicyException,

2
config/install-latest-testing.yaml
View file

@ -66,7 +66,6 @@ data:
enableDefaultRegistryMutation: "true"
defaultRegistry: "docker.io"
generateSuccessEvents: "false"
excludeBackgroundUsernames: system:serviceaccount:kyverno:kyverno-background-controller
resourceFilters: "[*,kyverno,*][Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][Binding,*,*][ReplicaSet,*,*][AdmissionReport,*,*][ClusterAdmissionReport,*,*][BackgroundScanReport,*,*][ClusterBackgroundScanReport,*,*][ClusterRole,*,kyverno:admission-controller][ClusterRole,*,kyverno:admission-controller:core][ClusterRole,*,kyverno:admission-controller:additional][ClusterRole,*,kyverno:background-controller][ClusterRole,*,kyverno:background-controller:core][ClusterRole,*,kyverno:background-controller:additional][ClusterRole,*,kyverno:cleanup-controller][ClusterRole,*,kyverno:cleanup-controller:core][ClusterRole,*,kyverno:cleanup-controller:additional][ClusterRole,*,kyverno:reports-controller][ClusterRole,*,kyverno:reports-controller:core][ClusterRole,*,kyverno:reports-controller:additional][ClusterRoleBinding,*,kyverno:admission-controller][ClusterRoleBinding,*,kyverno:background-controller][ClusterRoleBinding,*,kyverno:cleanup-controller][ClusterRoleBinding,*,kyverno:reports-controller][ServiceAccount,kyverno,kyverno-admission-controller][ServiceAccount,kyverno,kyverno-background-controller][ServiceAccount,kyverno,kyverno-cleanup-controller][ServiceAccount,kyverno,kyverno-reports-controller][Role,kyverno,kyverno:admission-controller][Role,kyverno,kyverno:background-controller][Role,kyverno,kyverno:cleanup-controller][Role,kyverno,kyverno:reports-controller][RoleBinding,kyverno,kyverno:admission-controller][RoleBinding,kyverno,kyverno:background-controller][RoleBinding,kyverno,kyverno:cleanup-controller][RoleBinding,kyverno,kyverno:reports-controller][ConfigMap,kyverno,kyverno][ConfigMap,kyverno,kyverno-metrics][Deployment,kyverno,kyverno-admission-controller][Deployment,kyverno,kyverno-background-controller][Deployment,kyverno,kyverno-cleanup-controller][Deployment,kyverno,kyverno-reports-controller][Pod,kyverno,kyverno-admission-controller-*][Pod,kyverno,kyverno-background-controller-*][Pod,kyverno,kyverno-cleanup-controller-*][Pod,kyverno,kyverno-reports-controller-*][Job,kyverno,kyverno-hook-pre-delete][NetworkPolicy,kyverno,kyverno-admission-controller][NetworkPolicy,kyverno,kyverno-background-controller][NetworkPolicy,kyverno,kyverno-cleanup-controller][NetworkPolicy,kyverno,kyverno-reports-controller][PodDisruptionBudget,kyverno,kyverno-admission-controller][PodDisruptionBudget,kyverno,kyverno-background-controller][PodDisruptionBudget,kyverno,kyverno-cleanup-controller][PodDisruptionBudget,kyverno,kyverno-reports-controller][Service,kyverno,kyverno-svc][Service,kyverno,kyverno-svc-metrics][Service,kyverno,kyverno-background-controller-metrics][Service,kyverno,kyverno-cleanup-controller][Service,kyverno,kyverno-cleanup-controller-metrics][Service,kyverno,kyverno-reports-controller-metrics][ServiceMonitor,kyverno,kyverno-admission-controller][ServiceMonitor,kyverno,kyverno-background-controller][ServiceMonitor,kyverno,kyverno-cleanup-controller][ServiceMonitor,kyverno,kyverno-reports-controller][Secret,kyverno,kyverno-svc.kyverno.svc.*][Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*]"
webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}]}}]'
---
@ -34610,6 +34609,7 @@ spec:
image: "ghcr.io/kyverno/kyverno:latest"
imagePullPolicy: IfNotPresent
args:
- --backgroundServiceAccountName='system:serviceaccount:kyverno:kyverno-background-controller'
- --servicePort=443
- --loggingFormat=text
- --disableMetrics=false

16
pkg/config/config.go
View file

@ -147,8 +147,6 @@ type Configuration interface {
GetExcludedRoles() []string
// GetExcludedClusterRoles return excluded roles
GetExcludedClusterRoles() []string
// GetExcludedBackgroundUsernames return exclude usernames for mutateExisting and generate policies
GetExcludedBackgroundUsernames() []string
// GetGenerateSuccessEvents return if should generate success events
GetGenerateSuccessEvents() bool
// GetWebhooks returns the webhook configs
@ -168,7 +166,6 @@ type configuration struct {
excludedUsernames []string
excludedRoles []string
excludedClusterRoles []string
excludeBackgroundUsernames []string
filters []filter
generateSuccessEvents bool
webhooks []WebhookConfig
@ -249,12 +246,6 @@ func (cd *configuration) GetExcludedClusterRoles() []string {
return cd.excludedClusterRoles
}
func (cd *configuration) GetExcludedBackgroundUsernames() []string {
cd.mux.RLock()
defer cd.mux.RUnlock()
return cd.excludeBackgroundUsernames
}
func (cd *configuration) GetExcludedGroups() []string {
cd.mux.RLock()
defer cd.mux.RUnlock()
@ -356,13 +347,6 @@ func (cd *configuration) load(cm *corev1.ConfigMap) {
} else {
cd.excludedClusterRoles = parseStrings(excludedClusterRoles)
}
// load excludeBackgroundUsernames
excludeBackgroundUsernames, ok := cm.Data["excludeBackgroundUsernames"]
if !ok {
logger.V(6).Info("configuration: No excludeBackgroundUsernames defined in ConfigMap")
} else {
cd.excludeBackgroundUsernames = parseStrings(excludeBackgroundUsernames)
}
// load generateSuccessEvents
generateSuccessEvents, ok := cm.Data["generateSuccessEvents"]
if ok {

3
pkg/webhooks/resource/handlers.go
View file

@ -60,6 +60,7 @@ type resourceHandlers struct {
pcBuilder webhookutils.PolicyContextBuilder
admissionReports bool
backgroungServiceAccountName string
}
func NewHandlers(
@ -80,6 +81,7 @@ func NewHandlers(
eventGen event.Interface,
openApiManager openapi.ValidateInterface,
admissionReports bool,
backgroungServiceAccountName string,
) webhooks.ResourceHandlers {
return &resourceHandlers{
engine: engine,
@ -98,6 +100,7 @@ func NewHandlers(
openApiManager: openApiManager,
pcBuilder: webhookutils.NewPolicyContextBuilder(configuration),
admissionReports: admissionReports,
backgroungServiceAccountName: backgroungServiceAccountName,
}
}

5
pkg/webhooks/resource/updaterequest.go
View file

@ -11,18 +11,15 @@ import (
"github.com/kyverno/kyverno/pkg/engine"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/event"
"github.com/kyverno/kyverno/pkg/utils/wildcard"
"github.com/kyverno/kyverno/pkg/webhooks/resource/generation"
admissionv1 "k8s.io/api/admission/v1"
)
// handleBackgroundApplies applies generate and mutateExisting policies, and creates update requests for background reconcile
func (h *resourceHandlers) handleBackgroundApplies(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, policyContext *engine.PolicyContext, generatePolicies, mutatePolicies []kyvernov1.PolicyInterface, ts time.Time) {
for _, username := range h.configuration.GetExcludedBackgroundUsernames() {
if wildcard.Match(username, policyContext.AdmissionInfo().AdmissionUserInfo.Username) {
if h.backgroungServiceAccountName == policyContext.AdmissionInfo().AdmissionUserInfo.Username {
return
}
}
go h.handleMutateExisting(ctx, logger, request, mutatePolicies, policyContext, ts)
h.handleGenerate(ctx, logger, request, generatePolicies, policyContext, ts)
}