mirror of
https://github.com/kyverno/kyverno.git
synced 2025-01-20 18:52:16 +00:00
refactor: remove common package (#5750)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
parent
59dd95b888
commit
ad19108d34
12 changed files with 148 additions and 181 deletions
|
@ -8,7 +8,7 @@ import (
|
|||
logr "github.com/go-logr/logr"
|
||||
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
||||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
"github.com/kyverno/kyverno/pkg/common"
|
||||
retryutils "github.com/kyverno/kyverno/pkg/utils/retry"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
|
@ -41,12 +41,12 @@ func GetResource(client dclient.Interface, urSpec kyvernov1beta1.UpdateRequestSp
|
|||
|
||||
var resource *unstructured.Unstructured
|
||||
var err error
|
||||
retry := func() error {
|
||||
retry := func(_ context.Context) error {
|
||||
resource, err = get()
|
||||
return err
|
||||
}
|
||||
|
||||
f := common.RetryFunc(time.Second, 5*time.Second, retry, "failed to get resource", log.WithName("getResource"))
|
||||
f := retryutils.RetryFunc(context.TODO(), time.Second, 5*time.Second, log.WithName("getResource"), "failed to get resource", retry)
|
||||
if err := f(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
|
@ -19,7 +19,6 @@ import (
|
|||
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
|
||||
kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1"
|
||||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
pkgcommon "github.com/kyverno/kyverno/pkg/common"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
|
||||
|
@ -30,6 +29,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/event"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
kyvernoutils "github.com/kyverno/kyverno/pkg/utils"
|
||||
engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
|
||||
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
||||
"golang.org/x/exp/slices"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
|
@ -157,7 +157,7 @@ func (c *GenerateController) ProcessUR(ur *kyvernov1beta1.UpdateRequest) error {
|
|||
}
|
||||
|
||||
// 2 - Apply the generate policy on the resource
|
||||
namespaceLabels := pkgcommon.GetNamespaceSelectorsFromNamespaceLister(resource.GetKind(), resource.GetNamespace(), c.nsLister, logger)
|
||||
namespaceLabels := engineutils.GetNamespaceSelectorsFromNamespaceLister(resource.GetKind(), resource.GetNamespace(), c.nsLister, logger)
|
||||
genResources, precreatedResource, err = c.applyGenerate(*resource, *ur, namespaceLabels)
|
||||
|
||||
if err != nil {
|
||||
|
|
|
@ -3,6 +3,7 @@ package background
|
|||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
|
@ -16,12 +17,12 @@ import (
|
|||
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
|
||||
kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1"
|
||||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
pkgCommon "github.com/kyverno/kyverno/pkg/common"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
|
||||
"github.com/kyverno/kyverno/pkg/event"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
||||
"github.com/pkg/errors"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
|
@ -349,7 +350,7 @@ func (c *controller) deletePolicy(obj interface{}) {
|
|||
logger.V(4).Info("updating policy", "key", key)
|
||||
|
||||
// check if deleted policy is clone generate policy
|
||||
generatePolicyWithClone := pkgCommon.ProcessDeletePolicyForCloneGenerateRule(p, c.client, c.kyvernoClient, c.urLister, p.GetName(), logger)
|
||||
generatePolicyWithClone := c.processDeletePolicyForCloneGenerateRule(p, p.GetName())
|
||||
|
||||
// get the generated resource name from update request
|
||||
selector := labels.SelectorFromSet(labels.Set(map[string]string{
|
||||
|
@ -480,3 +481,67 @@ func (c *controller) getPolicy(key string) (kyvernov1.PolicyInterface, error) {
|
|||
}
|
||||
return c.polLister.Policies(namespace).Get(name)
|
||||
}
|
||||
|
||||
func (c *controller) processDeletePolicyForCloneGenerateRule(policy kyvernov1.PolicyInterface, pName string) bool {
|
||||
generatePolicyWithClone := false
|
||||
for _, rule := range policy.GetSpec().Rules {
|
||||
clone, sync := rule.GetCloneSyncForGenerate()
|
||||
if !(clone && sync) {
|
||||
continue
|
||||
}
|
||||
logger.V(4).Info("generate policy with clone, remove policy name from label of source resource")
|
||||
generatePolicyWithClone = true
|
||||
var retryCount int
|
||||
for retryCount < 5 {
|
||||
err := c.updateSourceResource(policy.GetName(), rule)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to update generate source resource labels")
|
||||
if apierrors.IsConflict(err) {
|
||||
retryCount++
|
||||
} else {
|
||||
break
|
||||
}
|
||||
}
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
return generatePolicyWithClone
|
||||
}
|
||||
|
||||
func (c *controller) updateSourceResource(pName string, rule kyvernov1.Rule) error {
|
||||
obj, err := c.client.GetResource(context.TODO(), "", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "source resource %s/%s/%s not found", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name)
|
||||
}
|
||||
|
||||
var update bool
|
||||
labels := obj.GetLabels()
|
||||
update, labels = removePolicyFromLabels(pName, labels)
|
||||
if !update {
|
||||
return nil
|
||||
}
|
||||
|
||||
obj.SetLabels(labels)
|
||||
_, err = c.client.UpdateResource(context.TODO(), obj.GetAPIVersion(), rule.Generation.Kind, rule.Generation.Clone.Namespace, obj, false)
|
||||
return err
|
||||
}
|
||||
|
||||
func removePolicyFromLabels(pName string, labels map[string]string) (bool, map[string]string) {
|
||||
if len(labels) == 0 {
|
||||
return false, labels
|
||||
}
|
||||
if labels["generate.kyverno.io/clone-policy-name"] != "" {
|
||||
policyNames := labels["generate.kyverno.io/clone-policy-name"]
|
||||
if strings.Contains(policyNames, pName) {
|
||||
desiredLabels := make(map[string]string, len(labels)-1)
|
||||
for k, v := range labels {
|
||||
if k != "generate.kyverno.io/clone-policy-name" {
|
||||
desiredLabels[k] = v
|
||||
}
|
||||
}
|
||||
return true, desiredLabels
|
||||
}
|
||||
}
|
||||
return false, labels
|
||||
}
|
||||
|
|
|
@ -1,150 +0,0 @@
|
|||
package common
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
|
||||
kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1"
|
||||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
enginutils "github.com/kyverno/kyverno/pkg/engine/utils"
|
||||
"github.com/kyverno/kyverno/pkg/logging"
|
||||
"github.com/pkg/errors"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
corev1listers "k8s.io/client-go/listers/core/v1"
|
||||
)
|
||||
|
||||
// Policy Reporting Types
|
||||
const (
|
||||
PolicyViolation = "POLICYVIOLATION"
|
||||
PolicyReport = "POLICYREPORT"
|
||||
)
|
||||
|
||||
// GetNamespaceSelectorsFromNamespaceLister - extract the namespacelabels when namespace lister is passed
|
||||
func GetNamespaceSelectorsFromNamespaceLister(kind, namespaceOfResource string, nsLister corev1listers.NamespaceLister, logger logr.Logger) map[string]string {
|
||||
namespaceLabels := make(map[string]string)
|
||||
if kind != "Namespace" && namespaceOfResource != "" {
|
||||
namespaceObj, err := nsLister.Get(namespaceOfResource)
|
||||
if err != nil {
|
||||
logging.Error(err, "failed to get the namespace", "name", namespaceOfResource)
|
||||
return namespaceLabels
|
||||
}
|
||||
return GetNamespaceLabels(namespaceObj, logger)
|
||||
}
|
||||
return namespaceLabels
|
||||
}
|
||||
|
||||
// GetNamespaceLabels - from namespace obj
|
||||
func GetNamespaceLabels(namespaceObj *corev1.Namespace, logger logr.Logger) map[string]string {
|
||||
namespaceObj.Kind = "Namespace"
|
||||
namespaceRaw, err := json.Marshal(namespaceObj)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to marshal namespace")
|
||||
}
|
||||
namespaceUnstructured, err := enginutils.ConvertToUnstructured(namespaceRaw)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to convert object resource to unstructured format")
|
||||
}
|
||||
return namespaceUnstructured.GetLabels()
|
||||
}
|
||||
|
||||
// RetryFunc allows retrying a function on error within a given timeout
|
||||
func RetryFunc(retryInterval, timeout time.Duration, run func() error, msg string, logger logr.Logger) func() error {
|
||||
return func() error {
|
||||
registerTimeout := time.After(timeout)
|
||||
registerTicker := time.NewTicker(retryInterval)
|
||||
defer registerTicker.Stop()
|
||||
var err error
|
||||
|
||||
loop:
|
||||
for {
|
||||
select {
|
||||
case <-registerTicker.C:
|
||||
err = run()
|
||||
if err != nil {
|
||||
logger.V(3).Info(msg, "reason", err.Error())
|
||||
} else {
|
||||
break loop
|
||||
}
|
||||
|
||||
case <-registerTimeout:
|
||||
return errors.Wrap(err, "retry times out")
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func ProcessDeletePolicyForCloneGenerateRule(policy kyvernov1.PolicyInterface, client dclient.Interface, kyvernoClient versioned.Interface, urlister kyvernov1beta1listers.UpdateRequestNamespaceLister, pName string, logger logr.Logger) bool {
|
||||
generatePolicyWithClone := false
|
||||
for _, rule := range policy.GetSpec().Rules {
|
||||
clone, sync := rule.GetCloneSyncForGenerate()
|
||||
if !(clone && sync) {
|
||||
continue
|
||||
}
|
||||
|
||||
logger.V(4).Info("generate policy with clone, remove policy name from label of source resource")
|
||||
generatePolicyWithClone = true
|
||||
|
||||
var retryCount int
|
||||
for retryCount < 5 {
|
||||
err := updateSourceResource(policy.GetName(), rule, client, logger)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to update generate source resource labels")
|
||||
if apierrors.IsConflict(err) {
|
||||
retryCount++
|
||||
} else {
|
||||
break
|
||||
}
|
||||
}
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
return generatePolicyWithClone
|
||||
}
|
||||
|
||||
func updateSourceResource(pName string, rule kyvernov1.Rule, client dclient.Interface, log logr.Logger) error {
|
||||
obj, err := client.GetResource(context.TODO(), "", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "source resource %s/%s/%s not found", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name)
|
||||
}
|
||||
|
||||
var update bool
|
||||
labels := obj.GetLabels()
|
||||
update, labels = removePolicyFromLabels(pName, labels)
|
||||
if !update {
|
||||
return nil
|
||||
}
|
||||
|
||||
obj.SetLabels(labels)
|
||||
_, err = client.UpdateResource(context.TODO(), obj.GetAPIVersion(), rule.Generation.Kind, rule.Generation.Clone.Namespace, obj, false)
|
||||
return err
|
||||
}
|
||||
|
||||
func removePolicyFromLabels(pName string, labels map[string]string) (bool, map[string]string) {
|
||||
if len(labels) == 0 {
|
||||
return false, labels
|
||||
}
|
||||
|
||||
if labels["generate.kyverno.io/clone-policy-name"] != "" {
|
||||
policyNames := labels["generate.kyverno.io/clone-policy-name"]
|
||||
if strings.Contains(policyNames, pName) {
|
||||
desiredLabels := make(map[string]string, len(labels)-1)
|
||||
for k, v := range labels {
|
||||
if k != "generate.kyverno.io/clone-policy-name" {
|
||||
desiredLabels[k] = v
|
||||
}
|
||||
}
|
||||
|
||||
return true, desiredLabels
|
||||
}
|
||||
}
|
||||
|
||||
return false, labels
|
||||
}
|
|
@ -5,11 +5,11 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/kyverno/kyverno/pkg/common"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"github.com/kyverno/kyverno/pkg/controllers"
|
||||
"github.com/kyverno/kyverno/pkg/tls"
|
||||
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
|
||||
retryutils "github.com/kyverno/kyverno/pkg/utils/retry"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
|
@ -102,10 +102,10 @@ func (c *controller) ticker(ctx context.Context, logger logr.Logger) {
|
|||
}
|
||||
|
||||
func (c *controller) renewCertificates() error {
|
||||
if err := common.RetryFunc(time.Second, 5*time.Second, c.renewer.RenewCA, "failed to renew CA", logger)(); err != nil {
|
||||
if err := retryutils.RetryFunc(context.TODO(), time.Second, 5*time.Second, logger, "failed to renew CA", c.renewer.RenewCA)(); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := common.RetryFunc(time.Second, 5*time.Second, c.renewer.RenewTLS, "failed to renew TLS", logger)(); err != nil {
|
||||
if err := retryutils.RetryFunc(context.TODO(), time.Second, 5*time.Second, logger, "failed to renew TLS", c.renewer.RenewTLS)(); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
|
|
|
@ -10,12 +10,12 @@ import (
|
|||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/pkg/autogen"
|
||||
"github.com/kyverno/kyverno/pkg/common"
|
||||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
policyExecutionDuration "github.com/kyverno/kyverno/pkg/metrics/policyexecutionduration"
|
||||
policyResults "github.com/kyverno/kyverno/pkg/metrics/policyresults"
|
||||
engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
|
||||
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
)
|
||||
|
@ -80,7 +80,7 @@ func (pc *PolicyController) applyPolicy(policy kyvernov1.PolicyInterface, resour
|
|||
logger.V(4).Info("policy and resource already processed", "policyResourceVersion", policy.GetResourceVersion(), "resourceResourceVersion", resource.GetResourceVersion(), "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName())
|
||||
}
|
||||
|
||||
namespaceLabels := common.GetNamespaceSelectorsFromNamespaceLister(resource.GetKind(), resource.GetNamespace(), pc.nsLister, logger)
|
||||
namespaceLabels := engineutils.GetNamespaceSelectorsFromNamespaceLister(resource.GetKind(), resource.GetNamespace(), pc.nsLister, logger)
|
||||
engineResponse := applyPolicy(policy, resource, logger, pc.configHandler.GetExcludeGroupRole(), pc.client, pc.rclient, pc.informerCacheResolvers, namespaceLabels)
|
||||
engineResponses = append(engineResponses, engineResponse...)
|
||||
|
||||
|
|
|
@ -35,9 +35,9 @@ type CertValidator interface {
|
|||
|
||||
type CertRenewer interface {
|
||||
// RenewCA renews the CA certificate if needed
|
||||
RenewCA() error
|
||||
RenewCA(context.Context) error
|
||||
// RenewTLS renews the TLS certificate if needed
|
||||
RenewTLS() error
|
||||
RenewTLS(context.Context) error
|
||||
}
|
||||
|
||||
// certRenewer creates rootCA and pem pair to register
|
||||
|
@ -74,7 +74,7 @@ func NewCertRenewer(
|
|||
}
|
||||
|
||||
// RenewCA renews the CA certificate if needed
|
||||
func (c *certRenewer) RenewCA() error {
|
||||
func (c *certRenewer) RenewCA(ctx context.Context) error {
|
||||
secret, key, certs, err := c.decodeCASecret()
|
||||
if err != nil && !apierrors.IsNotFound(err) {
|
||||
logger.Error(err, "failed to read CA")
|
||||
|
@ -97,7 +97,7 @@ func (c *certRenewer) RenewCA() error {
|
|||
return err
|
||||
}
|
||||
certs = append(certs, caCert)
|
||||
if err := c.writeCASecret(caKey, certs...); err != nil {
|
||||
if err := c.writeCASecret(ctx, caKey, certs...); err != nil {
|
||||
logger.Error(err, "failed to write CA")
|
||||
return err
|
||||
}
|
||||
|
@ -106,7 +106,7 @@ func (c *certRenewer) RenewCA() error {
|
|||
}
|
||||
|
||||
// RenewTLS renews the TLS certificate if needed
|
||||
func (c *certRenewer) RenewTLS() error {
|
||||
func (c *certRenewer) RenewTLS(ctx context.Context) error {
|
||||
_, caKey, caCerts, err := c.decodeCASecret()
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to read CA")
|
||||
|
@ -132,7 +132,7 @@ func (c *certRenewer) RenewTLS() error {
|
|||
logger.Error(err, "failed to generate TLS")
|
||||
return err
|
||||
}
|
||||
if err := c.writeTLSSecret(tlsKey, tlsCert); err != nil {
|
||||
if err := c.writeTLSSecret(ctx, tlsKey, tlsCert); err != nil {
|
||||
logger.Error(err, "failed to write TLS")
|
||||
return err
|
||||
}
|
||||
|
@ -203,7 +203,7 @@ func (c *certRenewer) decodeTLSSecret() (*corev1.Secret, *rsa.PrivateKey, *x509.
|
|||
}
|
||||
}
|
||||
|
||||
func (c *certRenewer) writeSecret(name string, key *rsa.PrivateKey, certs ...*x509.Certificate) error {
|
||||
func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.PrivateKey, certs ...*x509.Certificate) error {
|
||||
logger := logger.WithValues("name", name, "namespace", config.KyvernoNamespace())
|
||||
secret, err := c.getSecret(name)
|
||||
if err != nil && !apierrors.IsNotFound(err) {
|
||||
|
@ -228,14 +228,14 @@ func (c *certRenewer) writeSecret(name string, key *rsa.PrivateKey, certs ...*x5
|
|||
corev1.TLSPrivateKeyKey: privateKeyToPem(key),
|
||||
}
|
||||
if secret.ResourceVersion == "" {
|
||||
if _, err := c.client.Create(context.TODO(), secret, metav1.CreateOptions{}); err != nil {
|
||||
if _, err := c.client.Create(ctx, secret, metav1.CreateOptions{}); err != nil {
|
||||
logger.Error(err, "failed to update secret")
|
||||
return err
|
||||
} else {
|
||||
logger.Info("secret created")
|
||||
}
|
||||
} else {
|
||||
if _, err := c.client.Update(context.TODO(), secret, metav1.UpdateOptions{}); err != nil {
|
||||
if _, err := c.client.Update(ctx, secret, metav1.UpdateOptions{}); err != nil {
|
||||
logger.Error(err, "failed to update secret")
|
||||
return err
|
||||
} else {
|
||||
|
@ -246,11 +246,11 @@ func (c *certRenewer) writeSecret(name string, key *rsa.PrivateKey, certs ...*x5
|
|||
}
|
||||
|
||||
// writeCASecret stores the CA cert in secret
|
||||
func (c *certRenewer) writeCASecret(key *rsa.PrivateKey, certs ...*x509.Certificate) error {
|
||||
return c.writeSecret(GenerateRootCASecretName(), key, certs...)
|
||||
func (c *certRenewer) writeCASecret(ctx context.Context, key *rsa.PrivateKey, certs ...*x509.Certificate) error {
|
||||
return c.writeSecret(ctx, GenerateRootCASecretName(), key, certs...)
|
||||
}
|
||||
|
||||
// writeTLSSecret Writes the pair of TLS certificate and key to the specified secret.
|
||||
func (c *certRenewer) writeTLSSecret(key *rsa.PrivateKey, cert *x509.Certificate) error {
|
||||
return c.writeSecret(GenerateTLSPairSecretName(), key, cert)
|
||||
func (c *certRenewer) writeTLSSecret(ctx context.Context, key *rsa.PrivateKey, cert *x509.Certificate) error {
|
||||
return c.writeSecret(ctx, GenerateTLSPairSecretName(), key, cert)
|
||||
}
|
||||
|
|
21
pkg/utils/engine/labels.go
Normal file
21
pkg/utils/engine/labels.go
Normal file
|
@ -0,0 +1,21 @@
|
|||
package engine
|
||||
|
||||
import (
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/kyverno/kyverno/pkg/logging"
|
||||
corev1listers "k8s.io/client-go/listers/core/v1"
|
||||
)
|
||||
|
||||
// GetNamespaceSelectorsFromNamespaceLister - extract the namespacelabels when namespace lister is passed
|
||||
func GetNamespaceSelectorsFromNamespaceLister(kind, namespaceOfResource string, nsLister corev1listers.NamespaceLister, logger logr.Logger) map[string]string {
|
||||
namespaceLabels := make(map[string]string)
|
||||
if kind != "Namespace" && namespaceOfResource != "" {
|
||||
namespaceObj, err := nsLister.Get(namespaceOfResource)
|
||||
if err != nil {
|
||||
logging.Error(err, "failed to get the namespace", "name", namespaceOfResource)
|
||||
return namespaceLabels
|
||||
}
|
||||
return namespaceObj.DeepCopy().GetLabels()
|
||||
}
|
||||
return namespaceLabels
|
||||
}
|
32
pkg/utils/retry/retry.go
Normal file
32
pkg/utils/retry/retry.go
Normal file
|
@ -0,0 +1,32 @@
|
|||
package retry
|
||||
|
||||
import (
|
||||
"context"
|
||||
"time"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
// RetryFunc allows retrying a function on error within a given timeout
|
||||
func RetryFunc(ctx context.Context, retryInterval, timeout time.Duration, logger logr.Logger, msg string, run func(context.Context) error) func() error {
|
||||
return func() error {
|
||||
ctx, cancel := context.WithTimeout(ctx, timeout)
|
||||
defer cancel()
|
||||
registerTicker := time.NewTicker(retryInterval)
|
||||
defer registerTicker.Stop()
|
||||
var err error
|
||||
for {
|
||||
select {
|
||||
case <-registerTicker.C:
|
||||
if err = run(ctx); err != nil {
|
||||
logger.V(3).Info(msg, "reason", err.Error())
|
||||
} else {
|
||||
return nil
|
||||
}
|
||||
case <-ctx.Done():
|
||||
return errors.Wrap(err, "retry times out")
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -14,7 +14,6 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
|
||||
kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1"
|
||||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
"github.com/kyverno/kyverno/pkg/common"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||
|
@ -22,6 +21,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/event"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
|
||||
webhookgenerate "github.com/kyverno/kyverno/pkg/webhooks/updaterequest"
|
||||
webhookutils "github.com/kyverno/kyverno/pkg/webhooks/utils"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
|
@ -91,7 +91,7 @@ func (h *generationHandler) Handle(
|
|||
var rules []response.RuleResponse
|
||||
policyContext := policyContext.WithPolicy(policy)
|
||||
if request.Kind.Kind != "Namespace" && request.Namespace != "" {
|
||||
policyContext = policyContext.WithNamespaceLabels(common.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, h.log))
|
||||
policyContext = policyContext.WithNamespaceLabels(engineutils.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, h.log))
|
||||
}
|
||||
engineResponse := engine.ApplyBackgroundChecks(h.rclient, policyContext)
|
||||
for _, rule := range engineResponse.PolicyResponse.Rules {
|
||||
|
|
|
@ -12,7 +12,6 @@ import (
|
|||
kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1"
|
||||
kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
|
||||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
"github.com/kyverno/kyverno/pkg/common"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
enginectx "github.com/kyverno/kyverno/pkg/engine/context"
|
||||
"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
|
||||
|
@ -23,6 +22,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/policycache"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
||||
engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
|
||||
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks/resource/generation"
|
||||
|
@ -134,7 +134,7 @@ func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request *ad
|
|||
|
||||
namespaceLabels := make(map[string]string)
|
||||
if request.Kind.Kind != "Namespace" && request.Namespace != "" {
|
||||
namespaceLabels = common.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, logger)
|
||||
namespaceLabels = engineutils.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, logger)
|
||||
}
|
||||
|
||||
vh := validation.NewValidationHandler(logger, h.kyvernoClient, h.rclient, h.pCache, h.pcBuilder, h.eventGen, h.admissionReports, h.metricsConfig)
|
||||
|
|
|
@ -8,7 +8,6 @@ import (
|
|||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/pkg/common"
|
||||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||
"github.com/kyverno/kyverno/pkg/event"
|
||||
|
@ -156,7 +155,7 @@ func (v *mutationHandler) applyMutations(
|
|||
|
||||
func (h *mutationHandler) applyMutation(ctx context.Context, request *admissionv1.AdmissionRequest, policyContext *engine.PolicyContext) (*response.EngineResponse, [][]byte, error) {
|
||||
if request.Kind.Kind != "Namespace" && request.Namespace != "" {
|
||||
policyContext = policyContext.WithNamespaceLabels(common.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, h.log))
|
||||
policyContext = policyContext.WithNamespaceLabels(engineutils.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, h.log))
|
||||
}
|
||||
|
||||
engineResponse := engine.Mutate(ctx, h.rclient, policyContext)
|
||||
|
|
Loading…
Add table
Reference in a new issue