feat: add missing polex flags (#6030)

* feat: add missing polex flags Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chart defaul Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-28 02:18:15 +00:00 · 2023-01-19 04:56:22 +01:00 · 2023-01-19 04:56:22 +01:00 · af3882f869
commit af3882f869
parent 7608842569
12 changed files with 68 additions and 31 deletions
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -136,7 +136,7 @@ The command removes all the Kubernetes components associated with the chart and
 | initImage.repository | string | `"ghcr.io/kyverno/kyvernopre"` | Image repository |
 | initImage.tag | string | `nil` | Image tag If initImage.tag is missing, defaults to image.tag |
 | initImage.pullPolicy | string | `nil` | Image pull policy If initImage.pullPolicy is missing, defaults to image.pullPolicy |
-| initContainer.extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the kyvernopre binary. |
+| initContainer.extraArgs | list | `["--loggingFormat=text","--exceptionNamespace={{ include \"kyverno.namespace\" . }}"]` | Extra arguments to give to the kyvernopre binary. |
 | testImage.registry | string | `nil` | Image registry |
 | testImage.repository | string | `"busybox"` | Image repository |
 | testImage.tag | string | `nil` | Image tag Defaults to `latest` if omitted |
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -65,6 +65,7 @@ initContainer:
  # -- Extra arguments to give to the kyvernopre binary.
  extraArgs:
    - --loggingFormat=text
+    - --exceptionNamespace={{ include "kyverno.namespace" . }}


 testImage:
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@ -34,6 +34,7 @@ import (
 	resourcereportcontroller "github.com/kyverno/kyverno/pkg/controllers/report/resource"
 	webhookcontroller "github.com/kyverno/kyverno/pkg/controllers/webhook"
 	"github.com/kyverno/kyverno/pkg/cosign"
+	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/leaderelection"
@ -172,6 +173,8 @@ func createReportControllers(
 	backgroundScanInterval time.Duration,
 	configuration config.Configuration,
 	eventGenerator event.Interface,
+	enablePolicyException bool,
+	exceptionNamespace string,
 ) ([]internal.Controller, func(context.Context) error) {
 	var ctrls []internal.Controller
 	var warmups []func(context.Context) error
@ -215,6 +218,15 @@ func createReportControllers(
 			))
 		}
 		if backgroundScan {
+			var exceptionsLister engine.PolicyExceptionLister
+			if enablePolicyException {
+				lister := kyvernoV2Alpha1.PolicyExceptions().Lister()
+				if exceptionNamespace != "" {
+					exceptionsLister = lister.PolicyExceptions(exceptionNamespace)
+				} else {
+					exceptionsLister = lister
+				}
+			}
 			ctrls = append(ctrls, internal.NewController(
 				backgroundscancontroller.ControllerName,
 				backgroundscancontroller.NewController(
@ -225,7 +237,7 @@ func createReportControllers(
 					kyvernoV1.Policies(),
 					kyvernoV1.ClusterPolicies(),
 					kubeInformer.Core().V1().Namespaces(),
-					kyvernoV2Alpha1.PolicyExceptions(),
+					exceptionsLister,
 					resourceReportController,
 					configMapResolver,
 					backgroundScanInterval,
@ -269,6 +281,8 @@ func createrLeaderControllers(
 	runtime runtimeutils.Runtime,
 	configMapResolver resolvers.ConfigmapResolver,
 	backgroundScanInterval time.Duration,
+	enablePolicyException bool,
+	exceptionNamespace string,
 ) ([]internal.Controller, func(context.Context) error, error) {
 	policyCtrl, err := policy.NewPolicyController(
 		kyvernoClient,
@ -349,6 +363,8 @@ func createrLeaderControllers(
 		backgroundScanInterval,
 		configuration,
 		eventGenerator,
+		enablePolicyException,
+		exceptionNamespace,
 	)
 	return append(
 			[]internal.Controller{
@ -383,6 +399,8 @@ func main() {
 		dumpPayload                bool
 		leaderElectionRetryPeriod  time.Duration
 		backgroundScanInterval     time.Duration
+		enablePolicyException      bool
+		exceptionNamespace         string
 	)
 	flagset := flag.NewFlagSet("kyverno", flag.ExitOnError)
 	flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.")
@ -403,6 +421,8 @@ func main() {
 	flagset.IntVar(&backgroundScanWorkers, "backgroundScanWorkers", backgroundscancontroller.Workers, "Configure the number of background scan workers.")
 	flagset.DurationVar(&leaderElectionRetryPeriod, "leaderElectionRetryPeriod", leaderelection.DefaultRetryPeriod, "Configure leader election retry period.")
 	flagset.DurationVar(&backgroundScanInterval, "backgroundScanInterval", time.Hour, "Configure background scan interval.")
+	flagset.StringVar(&exceptionNamespace, "exceptionNamespace", "", "Configure the namespace to accept PolicyExceptions.")
+	flagset.BoolVar(&enablePolicyException, "enablePolicyException", false, "Enable PolicyException feature.")
 	// config
 	appConfig := internal.NewConfiguration(
 		internal.WithProfiling(),
@ -586,6 +606,8 @@ func main() {
 				runtime,
 				configMapResolver,
 				backgroundScanInterval,
+				enablePolicyException,
+				exceptionNamespace,
 			)
 			if err != nil {
 				logger.Error(err, "failed to create leader controllers")
@ -642,6 +664,15 @@ func main() {
 		dClient,
 		openApiManager,
 	)
+	var exceptionsLister engine.PolicyExceptionLister
+	if enablePolicyException {
+		lister := kyvernoInformer.Kyverno().V2alpha1().PolicyExceptions().Lister()
+		if exceptionNamespace != "" {
+			exceptionsLister = lister.PolicyExceptions(exceptionNamespace)
+		} else {
+			exceptionsLister = lister
+		}
+	}
 	resourceHandlers := webhooksresource.NewHandlers(
 		dClient,
 		kyvernoClient,
@ -654,7 +685,7 @@ func main() {
 		kubeInformer.Rbac().V1().RoleBindings().Lister(),
 		kubeInformer.Rbac().V1().ClusterRoleBindings().Lister(),
 		kyvernoInformer.Kyverno().V1beta1().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace()),
-		kyvernoInformer.Kyverno().V2alpha1().PolicyExceptions().Lister(),
+		exceptionsLister,
 		urgen,
 		eventGenerator,
 		openApiManager,
--- a/cmd/reports-controller/main.go
+++ b/cmd/reports-controller/main.go
@ -132,7 +132,7 @@ func createReportControllers(
 					kyvernoV1.Policies(),
 					kyvernoV1.ClusterPolicies(),
 					kubeInformer.Core().V1().Namespaces(),
-					kyvernoV2Alpha1.PolicyExceptions(),
+					kyvernoV2Alpha1.PolicyExceptions().Lister(),
 					resourceReportController,
 					configMapResolver,
 					backgroundScanInterval,
--- a/config/install.yaml
+++ b/config/install.yaml
@ -32325,6 +32325,7 @@ spec:
          imagePullPolicy: IfNotPresent
          args:
            - --loggingFormat=text
+            - --exceptionNamespace=kyverno
          resources: 
            limits:
              cpu: 100m
--- a/pkg/controllers/report/background/controller.go
+++ b/pkg/controllers/report/background/controller.go
@ -11,14 +11,13 @@ import (
 	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
 	"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
 	kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
-	kyvernov2alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2alpha1"
 	kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
-	kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/controllers"
 	"github.com/kyverno/kyverno/pkg/controllers/report/resource"
 	"github.com/kyverno/kyverno/pkg/controllers/report/utils"
+	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/registryclient"
@ -57,7 +56,7 @@ type controller struct {
 	bgscanrLister  cache.GenericLister
 	cbgscanrLister cache.GenericLister
 	nsLister       corev1listers.NamespaceLister
-	polexLister    kyvernov2alpha1listers.PolicyExceptionLister
+	polexLister    engine.PolicyExceptionLister

 	// queue
 	queue workqueue.RateLimitingInterface
@ -80,7 +79,7 @@ func NewController(
 	polInformer kyvernov1informers.PolicyInformer,
 	cpolInformer kyvernov1informers.ClusterPolicyInformer,
 	nsInformer corev1informers.NamespaceInformer,
-	polexInformer kyvernov2alpha1informers.PolicyExceptionInformer,
+	polexLister engine.PolicyExceptionLister,
 	metadataCache resource.MetadataCache,
 	informerCacheResolvers resolvers.ConfigmapResolver,
 	forceDelay time.Duration,
@ -99,7 +98,7 @@ func NewController(
 		bgscanrLister:          bgscanr.Lister(),
 		cbgscanrLister:         cbgscanr.Lister(),
 		nsLister:               nsInformer.Lister(),
-		polexLister:            polexInformer.Lister(),
+		polexLister:            polexLister,
 		queue:                  queue,
 		metadataCache:          metadataCache,
 		informerCacheResolvers: informerCacheResolvers,
--- a/pkg/controllers/report/utils/scanner.go
+++ b/pkg/controllers/report/utils/scanner.go
@ -5,7 +5,6 @@ import (

 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine"
@ -22,7 +21,7 @@ type scanner struct {
 	client                 dclient.Interface
 	rclient                registryclient.Client
 	informerCacheResolvers resolvers.ConfigmapResolver
-	polexLister            kyvernov2alpha1listers.PolicyExceptionLister
+	polexLister            engine.PolicyExceptionLister
 	excludeGroupRole       []string
 	config                 config.Configuration
 }
@ -41,7 +40,7 @@ func NewScanner(
 	client dclient.Interface,
 	rclient registryclient.Client,
 	informerCacheResolvers resolvers.ConfigmapResolver,
-	polexLister kyvernov2alpha1listers.PolicyExceptionLister,
+	polexLister engine.PolicyExceptionLister,
 	config config.Configuration,
 	excludeGroupRole ...string,
 ) Scanner {
--- a/pkg/engine/policyContext.go
+++ b/pkg/engine/policyContext.go
@ -4,7 +4,6 @@ import (
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
 	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
-	kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
 	enginectx "github.com/kyverno/kyverno/pkg/engine/context"
@ -21,6 +20,12 @@ import (
 // ExcludeFunc is a function used to determine if a resource is excluded
 type ExcludeFunc = func(kind, namespace, name string) bool

+type PolicyExceptionLister interface {
+	// List lists all PolicyExceptions in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*kyvernov2alpha1.PolicyException, err error)
+}
+
 // PolicyContext contains the contexts for engine to process
 type PolicyContext struct {
 	// policy is the policy to be processed
@ -80,7 +85,7 @@ type PolicyContext struct {
 	}

 	// peLister list all policy exceptions
-	peLister kyvernov2alpha1listers.PolicyExceptionLister
+	peLister PolicyExceptionLister
 }

 // Getters
@ -222,7 +227,7 @@ func (c *PolicyContext) WithSubresourcesInPolicy(subresourcesInPolicy []struct {
 	return copy
 }

-func (c *PolicyContext) WithExceptions(peLister kyvernov2alpha1listers.PolicyExceptionLister) *PolicyContext {
+func (c *PolicyContext) WithExceptions(peLister PolicyExceptionLister) *PolicyContext {
 	copy := c.Copy()
 	copy.peLister = peLister
 	return copy
@ -249,7 +254,7 @@ func NewPolicyContextFromAdmissionRequest(
 	configuration config.Configuration,
 	client dclient.Interface,
 	informerCacheResolver resolvers.ConfigmapResolver,
-	peLister kyvernov2alpha1listers.PolicyExceptionLister,
+	polexLister PolicyExceptionLister,
 ) (*PolicyContext, error) {
 	ctx, err := newVariablesContext(request, &admissionInfo)
 	if err != nil {
@ -273,7 +278,7 @@ func NewPolicyContextFromAdmissionRequest(
 		WithInformerCacheResolver(informerCacheResolver).
 		WithRequestResource(*requestResource).
 		WithSubresource(request.SubResource).
-		WithExceptions(peLister)
+		WithExceptions(polexLister)
 	return policyContext, nil
 }

--- a/pkg/webhooks/resource/handlers.go
+++ b/pkg/webhooks/resource/handlers.go
@ -10,9 +10,9 @@ import (
 	kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
 	"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
 	kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1"
-	kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
+	"github.com/kyverno/kyverno/pkg/engine"
 	enginectx "github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
 	"github.com/kyverno/kyverno/pkg/event"
@ -50,11 +50,11 @@ type handlers struct {
 	pCache policycache.Cache

 	// listers
-	nsLister  corev1listers.NamespaceLister
-	rbLister  rbacv1listers.RoleBindingLister
-	crbLister rbacv1listers.ClusterRoleBindingLister
-	urLister  kyvernov1beta1listers.UpdateRequestNamespaceLister
-	peLister  kyvernov2alpha1listers.PolicyExceptionLister
+	nsLister    corev1listers.NamespaceLister
+	rbLister    rbacv1listers.RoleBindingLister
+	crbLister   rbacv1listers.ClusterRoleBindingLister
+	urLister    kyvernov1beta1listers.UpdateRequestNamespaceLister
+	polexLister engine.PolicyExceptionLister

 	urGenerator    webhookgenerate.Generator
 	eventGen       event.Interface
@ -77,7 +77,7 @@ func NewHandlers(
 	rbLister rbacv1listers.RoleBindingLister,
 	crbLister rbacv1listers.ClusterRoleBindingLister,
 	urLister kyvernov1beta1listers.UpdateRequestNamespaceLister,
-	peLister kyvernov2alpha1listers.PolicyExceptionLister,
+	polexLister engine.PolicyExceptionLister,
 	urGenerator webhookgenerate.Generator,
 	eventGen event.Interface,
 	openApiManager openapi.ValidateInterface,
@ -94,11 +94,11 @@ func NewHandlers(
 		rbLister:         rbLister,
 		crbLister:        crbLister,
 		urLister:         urLister,
-		peLister:         peLister,
+		polexLister:      polexLister,
 		urGenerator:      urGenerator,
 		eventGen:         eventGen,
 		openApiManager:   openApiManager,
-		pcBuilder:        webhookutils.NewPolicyContextBuilder(configuration, client, rbLister, crbLister, informerCacheResolvers, peLister),
+		pcBuilder:        webhookutils.NewPolicyContextBuilder(configuration, client, rbLister, crbLister, informerCacheResolvers, polexLister),
 		urUpdater:        webhookutils.NewUpdateRequestUpdater(kyvernoClient, urLister),
 		admissionReports: admissionReports,
 	}
--- a/pkg/webhooks/utils/policy_context_builder.go
+++ b/pkg/webhooks/utils/policy_context_builder.go
@ -2,7 +2,6 @@ package utils

 import (
 	kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
-	kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine"
@ -23,7 +22,7 @@ type policyContextBuilder struct {
 	rbLister               rbacv1listers.RoleBindingLister
 	crbLister              rbacv1listers.ClusterRoleBindingLister
 	informerCacheResolvers resolvers.ConfigmapResolver
-	peLister               kyvernov2alpha1listers.PolicyExceptionLister
+	polexLister            engine.PolicyExceptionLister
 }

 func NewPolicyContextBuilder(
@ -32,7 +31,7 @@ func NewPolicyContextBuilder(
 	rbLister rbacv1listers.RoleBindingLister,
 	crbLister rbacv1listers.ClusterRoleBindingLister,
 	informerCacheResolvers resolvers.ConfigmapResolver,
-	peLister kyvernov2alpha1listers.PolicyExceptionLister,
+	polexLister engine.PolicyExceptionLister,
 ) PolicyContextBuilder {
 	return &policyContextBuilder{
 		configuration:          configuration,
@ -40,7 +39,7 @@ func NewPolicyContextBuilder(
 		rbLister:               rbLister,
 		crbLister:              crbLister,
 		informerCacheResolvers: informerCacheResolvers,
-		peLister:               peLister,
+		polexLister:            polexLister,
 	}
 }

@ -54,5 +53,5 @@ func (b *policyContextBuilder) Build(request *admissionv1.AdmissionRequest) (*en
 		userRequestInfo.Roles = roles
 		userRequestInfo.ClusterRoles = clusterRoles
 	}
-	return engine.NewPolicyContextFromAdmissionRequest(request, userRequestInfo, b.configuration, b.client, b.informerCacheResolvers, b.peLister)
+	return engine.NewPolicyContextFromAdmissionRequest(request, userRequestInfo, b.configuration, b.client, b.informerCacheResolvers, b.polexLister)
 }
--- a/scripts/config/dev/kyverno.yaml
+++ b/scripts/config/dev/kyverno.yaml
@ -7,6 +7,7 @@ extraArgs:
  - --enableTracing
  - --tracingAddress=tempo.monitoring
  - --tracingPort=4317
+  - --enablePolicyException

 serviceMonitor:
  enabled: true
--- a/scripts/config/standard/kyverno.yaml
+++ b/scripts/config/standard/kyverno.yaml
@ -4,6 +4,7 @@ initContainer:

 extraArgs:
  - --loggingFormat=json
+  - --enablePolicyException

 cleanupController:
  rbac: