diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index 4e552e1b16..65a13f5b37 100644 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -91,7 +91,7 @@ func main() { // Resource Mutating Webhook Watcher lastReqTime := checker.NewLastReqTime() - rWebhookWatcher := webhookconfig.NewResourceWebhookWatcher( + rWebhookWatcher := webhookconfig.NewResourceWebhookRegister( lastReqTime, kubeInformer.Admissionregistration().V1beta1().MutatingWebhookConfigurations(), webhookRegistrationClient, diff --git a/pkg/policy/controller.go b/pkg/policy/controller.go index b2a0f63f5a..e7822a3039 100644 --- a/pkg/policy/controller.go +++ b/pkg/policy/controller.go @@ -82,7 +82,7 @@ type PolicyController struct { // policy violation generator pvGenerator policyviolation.GeneratorInterface // resourceWebhookWatcher queues the webhook creation request, creates the webhook - resourceWebhookWatcher *webhookconfig.ResourceWebhookWatcher + resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister } // NewPolicyController create a new PolicyController @@ -95,7 +95,7 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset, eventGen event.Interface, pvGenerator policyviolation.GeneratorInterface, pMetaStore policystore.UpdateInterface, - resourceWebhookWatcher *webhookconfig.ResourceWebhookWatcher) (*PolicyController, error) { + resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister) (*PolicyController, error) { // Event broad caster eventBroadcaster := record.NewBroadcaster() eventBroadcaster.StartLogging(glog.Infof) diff --git a/pkg/webhookconfig/rwebhookwatcher.go b/pkg/webhookconfig/rwebhookregister.go similarity index 50% rename from pkg/webhookconfig/rwebhookwatcher.go rename to pkg/webhookconfig/rwebhookregister.go index d4bceb0ffb..17c321f426 100644 --- a/pkg/webhookconfig/rwebhookwatcher.go +++ b/pkg/webhookconfig/rwebhookregister.go @@ -5,98 +5,81 @@ import ( "github.com/golang/glog" checker "github.com/nirmata/kyverno/pkg/checker" - errorsapi "k8s.io/apimachinery/pkg/api/errors" + "github.com/tevino/abool" mconfiginformer "k8s.io/client-go/informers/admissionregistration/v1beta1" mconfiglister "k8s.io/client-go/listers/admissionregistration/v1beta1" cache "k8s.io/client-go/tools/cache" ) -type ResourceWebhookWatcher struct { - LastReqTime *checker.LastReqTime - // ch holds the requests to create resource mutatingwebhookconfiguration - ch chan bool +type ResourceWebhookRegister struct { + // pendingCreation indicates the status of resource webhook creation + pendingCreation *abool.AtomicBool + LastReqTime *checker.LastReqTime mwebhookconfigSynced cache.InformerSynced // list/get mutatingwebhookconfigurations mWebhookConfigLister mconfiglister.MutatingWebhookConfigurationLister webhookRegistrationClient *WebhookRegistrationClient } -func NewResourceWebhookWatcher( +func NewResourceWebhookRegister( lastReqTime *checker.LastReqTime, mconfigwebhookinformer mconfiginformer.MutatingWebhookConfigurationInformer, webhookRegistrationClient *WebhookRegistrationClient, -) *ResourceWebhookWatcher { - return &ResourceWebhookWatcher{ +) *ResourceWebhookRegister { + return &ResourceWebhookRegister{ + pendingCreation: abool.New(), LastReqTime: lastReqTime, - ch: make(chan bool), mwebhookconfigSynced: mconfigwebhookinformer.Informer().HasSynced, mWebhookConfigLister: mconfigwebhookinformer.Lister(), webhookRegistrationClient: webhookRegistrationClient, } } -func (rww *ResourceWebhookWatcher) RegisterResourceWebhook() { - rww.ch <- true +func (rww *ResourceWebhookRegister) RegisterResourceWebhook() { + // drop the request if creation is in processing + if rww.pendingCreation.IsSet() { + glog.V(3).Info("resource webhook configuration is in pending creation, skip the request") + return + } + + // check cache + configName := rww.webhookRegistrationClient.GetResourceMutatingWebhookConfigName() + // exsitence of config is all that matters; if error occurs, creates webhook anyway + // errors of webhook creation are handled separately + config, _ := rww.mWebhookConfigLister.Get(configName) + if config != nil { + glog.V(4).Info("mutating webhoook configuration already exists, skip the request") + return + } + + createWebhook := func() { + rww.pendingCreation.Set() + err := rww.webhookRegistrationClient.CreateResourceMutatingWebhookConfiguration() + rww.pendingCreation.UnSet() + + if err != nil { + glog.Errorf("failed to create resource mutating webhook configuration: %v, re-queue creation request", err) + rww.RegisterResourceWebhook() + return + } + glog.V(3).Info("Successfully created mutating webhook configuration for resources") + } + + timeDiff := time.Since(rww.LastReqTime.Time()) + if timeDiff < checker.DefaultDeadline { + glog.V(3).Info("Verified webhook status, creating webhook configuration") + go createWebhook() + } } -func (rww *ResourceWebhookWatcher) Run(stopCh <-chan struct{}) { - glog.Info("Starting resource webhook watcher") - defer glog.Info("Shutting down resource webhook watcher") - +func (rww *ResourceWebhookRegister) Run(stopCh <-chan struct{}) { // wait for cache to populate first time if !cache.WaitForCacheSync(stopCh, rww.mwebhookconfigSynced) { glog.Error("configuration: failed to sync webhook informer cache") } - - createWebhook := func() { - if err := rww.createResourceMutatingWebhookConfigurationIfRequired(); err != nil { - glog.Errorf("failed to create resource mutating webhook configuration: %v, re-queue creation request", err) - rww.RegisterResourceWebhook() - } - } - - for { - select { - case <-rww.ch: - timeDiff := time.Since(rww.LastReqTime.Time()) - if timeDiff < checker.DefaultDeadline { - glog.V(3).Info("Verified webhook status, creating webhook configuration") - go createWebhook() - } else { - glog.Info("Webhook is inactive, not creating resource webhook configuration") - } - - case <-stopCh: - glog.V(2).Infof("stopping resource webhook watcher") - return - } - } } -// CreateResourceMutatingWebhookConfigurationIfRequired creates a Mutatingwebhookconfiguration -// for all resource types if there's no mutatingwebhookcfg for existing policy -func (rww *ResourceWebhookWatcher) createResourceMutatingWebhookConfigurationIfRequired() error { - // check cache - configName := rww.webhookRegistrationClient.GetResourceMutatingWebhookConfigName() - config, err := rww.mWebhookConfigLister.Get(configName) - if err != nil && !errorsapi.IsNotFound(err) { - glog.V(4).Infof("failed to list mutating webhook configuration: %v", err) - return err - } - - if config != nil { - // mutating webhoook configuration already exists - return nil - } - - if err := rww.webhookRegistrationClient.CreateResourceMutatingWebhookConfiguration(); err != nil { - return err - } - glog.V(3).Info("Successfully created mutating webhook configuration for resources") - return nil -} - -func (rww *ResourceWebhookWatcher) RemoveResourceWebhookConfiguration() error { +func (rww *ResourceWebhookRegister) RemoveResourceWebhookConfiguration() error { var err error // check informer cache configName := rww.webhookRegistrationClient.GetResourceMutatingWebhookConfigName() diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index b72de53f93..e861d3b162 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -65,7 +65,7 @@ type WebhookServer struct { pMetaStore policystore.LookupInterface // policy violation generator pvGenerator policyviolation.GeneratorInterface - resourceWebhookWatcher *webhookconfig.ResourceWebhookWatcher + resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister } // NewWebhookServer creates new instance of WebhookServer accordingly to given configuration @@ -83,7 +83,7 @@ func NewWebhookServer( configHandler config.Interface, pMetaStore policystore.LookupInterface, pvGenerator policyviolation.GeneratorInterface, - resourceWebhookWatcher *webhookconfig.ResourceWebhookWatcher, + resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister, cleanUp chan<- struct{}) (*WebhookServer, error) { if tlsPair == nil {