From b6447e06496c21d114a636c3d92e4b3f3d8dc40a Mon Sep 17 00:00:00 2001 From: shuting Date: Tue, 18 Jan 2022 20:59:35 +0800 Subject: [PATCH] Remove resourceCache from engine (#3013) * update log messages Signed-off-by: ShutingZhao * remove resourceCache from the background controller when: - register resource scope - list resources per namespace Signed-off-by: ShutingZhao * - use client call for configmap lookup; - remove resourceCache from policy controller, webhook server and generate controller Signed-off-by: ShutingZhao --- cmd/kyverno/main.go | 4 ---- pkg/engine/generation.go | 3 +-- pkg/engine/imageVerify.go | 2 +- pkg/engine/jsonContext.go | 34 +++++++++-------------------- pkg/engine/mutation.go | 7 +++--- pkg/engine/policyContext.go | 5 ----- pkg/engine/validation.go | 2 +- pkg/generate/generate.go | 4 +--- pkg/generate/generate_controller.go | 6 +---- pkg/policy/apply.go | 9 +++----- pkg/policy/common.go | 26 ---------------------- pkg/policy/existing.go | 21 +++++------------- pkg/policy/generate/validate.go | 10 ++++----- pkg/policy/policy_controller.go | 12 ---------- pkg/webhooks/generation.go | 1 - pkg/webhooks/server.go | 8 ------- pkg/webhooks/validate_audit.go | 5 ----- 17 files changed, 32 insertions(+), 127 deletions(-) diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index c70f8a31dc..010b585b05 100755 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -312,7 +312,6 @@ func main() { prgen, kubeInformer.Core().V1().Namespaces(), log.Log.WithName("PolicyController"), - rCache, policyControllerResyncPeriod, promConfig, ) @@ -337,7 +336,6 @@ func main() { kubedynamicInformer, log.Log.WithName("GenerateController"), configData, - rCache, ) if err != nil { setupLog.Error(err, "Failed to create generate controller") @@ -375,7 +373,6 @@ func main() { kubeInformer.Core().V1().Namespaces(), log.Log.WithName("ValidateAuditHandler"), configData, - rCache, client, promConfig, ) @@ -471,7 +468,6 @@ func main() { cleanUp, log.Log.WithName("WebhookServer"), openAPIController, - rCache, grc, promConfig, ) diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go index cd89593035..bd7cb745a3 100644 --- a/pkg/engine/generation.go +++ b/pkg/engine/generation.go @@ -70,7 +70,6 @@ func filterRule(rule kyverno.Rule, policyContext *PolicyContext) *response.RuleR oldResource := policyContext.OldResource admissionInfo := policyContext.AdmissionInfo ctx := policyContext.JSONContext - resCache := policyContext.ResourceCache excludeGroupRole := policyContext.ExcludeGroupRole namespaceLabels := policyContext.NamespaceLabels @@ -98,7 +97,7 @@ func filterRule(rule kyverno.Rule, policyContext *PolicyContext) *response.RuleR policyContext.JSONContext.Checkpoint() defer policyContext.JSONContext.Restore() - if err = LoadContext(logger, rule.Context, resCache, policyContext, rule.Name); err != nil { + if err = LoadContext(logger, rule.Context, policyContext, rule.Name); err != nil { logger.V(4).Info("cannot add external data to the context", "reason", err.Error()) return nil } diff --git a/pkg/engine/imageVerify.go b/pkg/engine/imageVerify.go index 48eec690af..4a1c4b9e0b 100644 --- a/pkg/engine/imageVerify.go +++ b/pkg/engine/imageVerify.go @@ -60,7 +60,7 @@ func VerifyAndPatchImages(policyContext *PolicyContext) (resp *response.EngineRe policyContext.JSONContext.Restore() - if err := LoadContext(logger, rule.Context, policyContext.ResourceCache, policyContext, rule.Name); err != nil { + if err := LoadContext(logger, rule.Context, policyContext, rule.Name); err != nil { appendError(resp, rule, fmt.Sprintf("failed to load context: %s", err.Error()), response.RuleStatusError) continue } diff --git a/pkg/engine/jsonContext.go b/pkg/engine/jsonContext.go index bd8e037e90..59ffcb035b 100644 --- a/pkg/engine/jsonContext.go +++ b/pkg/engine/jsonContext.go @@ -2,7 +2,6 @@ package engine import ( "encoding/json" - "errors" "fmt" "strings" @@ -11,17 +10,14 @@ import ( "github.com/google/go-containerregistry/pkg/v1/remote" kyverno "github.com/kyverno/kyverno/api/kyverno/v1" pkgcommon "github.com/kyverno/kyverno/pkg/common" - "github.com/kyverno/kyverno/pkg/engine/context" jmespath "github.com/kyverno/kyverno/pkg/engine/jmespath" "github.com/kyverno/kyverno/pkg/engine/variables" "github.com/kyverno/kyverno/pkg/kyverno/store" "github.com/kyverno/kyverno/pkg/registryclient" - "github.com/kyverno/kyverno/pkg/resourcecache" - "k8s.io/client-go/dynamic/dynamiclister" ) // LoadContext - Fetches and adds external data to the Context. -func LoadContext(logger logr.Logger, contextEntries []kyverno.ContextEntry, resCache resourcecache.ResourceCache, ctx *PolicyContext, ruleName string) error { +func LoadContext(logger logr.Logger, contextEntries []kyverno.ContextEntry, ctx *PolicyContext, ruleName string) error { if len(contextEntries) == 0 { return nil } @@ -49,18 +45,9 @@ func LoadContext(logger logr.Logger, contextEntries []kyverno.ContextEntry, resC } } } else { - // get GVR Cache for "configmaps" - // can get cache for other resources if the informers are enabled in resource cache - gvrC, ok := resCache.GetGVRCache("ConfigMap") - if !ok { - return errors.New("configmaps GVR Cache not found") - } - - lister := gvrC.Lister() - for _, entry := range contextEntries { if entry.ConfigMap != nil { - if err := loadConfigMap(logger, entry, lister, ctx.JSONContext); err != nil { + if err := loadConfigMap(logger, entry, ctx); err != nil { return err } } else if entry.APICall != nil { @@ -286,13 +273,13 @@ func loadResource(ctx *PolicyContext, p *APIPath) ([]byte, error) { return r.MarshalJSON() } -func loadConfigMap(logger logr.Logger, entry kyverno.ContextEntry, lister dynamiclister.Lister, ctx *context.Context) error { - data, err := fetchConfigMap(logger, entry, lister, ctx) +func loadConfigMap(logger logr.Logger, entry kyverno.ContextEntry, ctx *PolicyContext) error { + data, err := fetchConfigMap(logger, entry, ctx) if err != nil { return fmt.Errorf("failed to retrieve config map for context entry %s: %v", entry.Name, err) } - err = ctx.AddJSON(data) + err = ctx.JSONContext.AddJSON(data) if err != nil { return fmt.Errorf("failed to add config map for context entry %s: %v", entry.Name, err) } @@ -300,15 +287,15 @@ func loadConfigMap(logger logr.Logger, entry kyverno.ContextEntry, lister dynami return nil } -func fetchConfigMap(logger logr.Logger, entry kyverno.ContextEntry, lister dynamiclister.Lister, jsonContext *context.Context) ([]byte, error) { +func fetchConfigMap(logger logr.Logger, entry kyverno.ContextEntry, ctx *PolicyContext) ([]byte, error) { contextData := make(map[string]interface{}) - name, err := variables.SubstituteAll(logger, jsonContext, entry.ConfigMap.Name) + name, err := variables.SubstituteAll(logger, ctx.JSONContext, entry.ConfigMap.Name) if err != nil { return nil, fmt.Errorf("failed to substitute variables in context %s configMap.name %s: %v", entry.Name, entry.ConfigMap.Name, err) } - namespace, err := variables.SubstituteAll(logger, jsonContext, entry.ConfigMap.Namespace) + namespace, err := variables.SubstituteAll(logger, ctx.JSONContext, entry.ConfigMap.Namespace) if err != nil { return nil, fmt.Errorf("failed to substitute variables in context %s configMap.namespace %s: %v", entry.Name, entry.ConfigMap.Namespace, err) } @@ -317,10 +304,9 @@ func fetchConfigMap(logger logr.Logger, entry kyverno.ContextEntry, lister dynam namespace = "default" } - key := fmt.Sprintf("%s/%s", namespace, name) - obj, err := lister.Get(key) + obj, err := ctx.Client.GetResource("v1", "ConfigMap", namespace.(string), name.(string)) if err != nil { - return nil, fmt.Errorf("failed to read configmap %s/%s from cache: %v", namespace, name, err) + return nil, fmt.Errorf("failed to get configmap %s/%s : %v", namespace, name, err) } unstructuredObj := obj.DeepCopy().Object diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index 679fdfe52f..e27eb91cb8 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -35,7 +35,6 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) { ctx := policyContext.JSONContext var name []string - resCache := policyContext.ResourceCache logger := log.Log.WithName("EngineMutate").WithValues("policy", policy.Name, "kind", patchedResource.GetKind(), "namespace", patchedResource.GetNamespace(), "name", patchedResource.GetName()) @@ -78,7 +77,7 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) { logger.Error(err, "failed to query resource object") } - if err := LoadContext(logger, rule.Context, resCache, policyContext, rule.Name); err != nil { + if err := LoadContext(logger, rule.Context, policyContext, rule.Name); err != nil { if _, ok := err.(gojmespath.NotFoundError); ok { logger.V(3).Info("failed to load context", "reason", err.Error()) } else { @@ -144,7 +143,7 @@ func mutateForEach(rule *kyverno.Rule, ctx *PolicyContext, resource unstructured allPatches := make([][]byte, 0) for _, foreach := range foreachList { - if err := LoadContext(logger, rule.Context, ctx.ResourceCache, ctx, rule.Name); err != nil { + if err := LoadContext(logger, rule.Context, ctx, rule.Name); err != nil { logger.Error(err, "failed to load context") return ruleError(rule, utils.Mutation, "failed to load context", err), resource } @@ -202,7 +201,7 @@ func mutateElements(name string, foreach *kyverno.ForEachMutation, ctx *PolicyCo return mutateError(err, fmt.Sprintf("failed to add element to mutate.foreach[%d].context", i)) } - if err := LoadContext(logger, foreach.Context, ctx.ResourceCache, ctx, name); err != nil { + if err := LoadContext(logger, foreach.Context, ctx, name); err != nil { return mutateError(err, fmt.Sprintf("failed to load to mutate.foreach[%d].context", i)) } diff --git a/pkg/engine/policyContext.go b/pkg/engine/policyContext.go index e980f6451e..2e304209f4 100644 --- a/pkg/engine/policyContext.go +++ b/pkg/engine/policyContext.go @@ -4,7 +4,6 @@ import ( kyverno "github.com/kyverno/kyverno/api/kyverno/v1" client "github.com/kyverno/kyverno/pkg/dclient" "github.com/kyverno/kyverno/pkg/engine/context" - "github.com/kyverno/kyverno/pkg/resourcecache" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) @@ -34,9 +33,6 @@ type PolicyContext struct { ExcludeResourceFunc func(kind, namespace, name string) bool - // ResourceCache provides listers to resources. Currently Supports Configmap - ResourceCache resourcecache.ResourceCache - // JSONContext is the variable context JSONContext *context.Context @@ -53,7 +49,6 @@ func (pc *PolicyContext) Copy() *PolicyContext { Client: pc.Client, ExcludeGroupRole: pc.ExcludeGroupRole, ExcludeResourceFunc: pc.ExcludeResourceFunc, - ResourceCache: pc.ResourceCache, JSONContext: pc.JSONContext, NamespaceLabels: pc.NamespaceLabels, } diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 64ad482c72..e9520d2a7a 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -307,7 +307,7 @@ func addElementToContext(ctx *PolicyContext, e interface{}, elementIndex int, el } func (v *validator) loadContext() error { - if err := LoadContext(v.log, v.contextEntries, v.ctx.ResourceCache, v.ctx, v.rule.Name); err != nil { + if err := LoadContext(v.log, v.contextEntries, v.ctx, v.rule.Name); err != nil { if _, ok := err.(gojmespath.NotFoundError); ok { v.log.V(3).Info("failed to load context", "reason", err.Error()) } else { diff --git a/pkg/generate/generate.go b/pkg/generate/generate.go index fb770ca5a8..4530aa9f0a 100644 --- a/pkg/generate/generate.go +++ b/pkg/generate/generate.go @@ -194,7 +194,6 @@ func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyvern AdmissionInfo: gr.Spec.Context.UserRequestInfo, ExcludeGroupRole: c.Config.GetExcludeGroupRole(), ExcludeResourceFunc: c.Config.ToFilter, - ResourceCache: c.resCache, JSONContext: ctx, NamespaceLabels: namespaceLabels, Client: c.client, @@ -256,7 +255,6 @@ func (c *Controller) applyGeneratePolicy(log logr.Logger, policyContext *engine. policy := policyContext.Policy resource := policyContext.NewResource - resCache := policyContext.ResourceCache jsonContext := policyContext.JSONContext // To manage existing resources, we compare the creation time for the default resource to be generated and policy creation time @@ -284,7 +282,7 @@ func (c *Controller) applyGeneratePolicy(log logr.Logger, policyContext *engine. } // add configmap json data to context - if err := engine.LoadContext(log, rule.Context, resCache, policyContext, rule.Name); err != nil { + if err := engine.LoadContext(log, rule.Context, policyContext, rule.Name); err != nil { log.Error(err, "cannot add configmaps to context") return nil, processExisting, err } diff --git a/pkg/generate/generate_controller.go b/pkg/generate/generate_controller.go index f3c4809fec..03d6f1c95e 100644 --- a/pkg/generate/generate_controller.go +++ b/pkg/generate/generate_controller.go @@ -15,7 +15,6 @@ import ( "github.com/kyverno/kyverno/pkg/config" dclient "github.com/kyverno/kyverno/pkg/dclient" "github.com/kyverno/kyverno/pkg/event" - "github.com/kyverno/kyverno/pkg/resourcecache" apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" utilruntime "k8s.io/apimachinery/pkg/util/runtime" @@ -68,8 +67,7 @@ type Controller struct { nsInformer informers.GenericInformer log logr.Logger - Config config.Interface - resCache resourcecache.ResourceCache + Config config.Interface } //NewController returns an instance of the Generate-Request Controller @@ -83,7 +81,6 @@ func NewController( dynamicInformer dynamicinformer.DynamicSharedInformerFactory, log logr.Logger, dynamicConfig config.Interface, - resourceCache resourcecache.ResourceCache, ) (*Controller, error) { c := Controller{ @@ -95,7 +92,6 @@ func NewController( dynamicInformer: dynamicInformer, log: log, Config: dynamicConfig, - resCache: resourceCache, } c.statusControl = StatusControl{client: kyvernoClient} diff --git a/pkg/policy/apply.go b/pkg/policy/apply.go index c02b36b247..5d131c31b5 100644 --- a/pkg/policy/apply.go +++ b/pkg/policy/apply.go @@ -14,14 +14,13 @@ import ( "github.com/kyverno/kyverno/pkg/engine" "github.com/kyverno/kyverno/pkg/engine/context" "github.com/kyverno/kyverno/pkg/engine/response" - "github.com/kyverno/kyverno/pkg/resourcecache" "github.com/kyverno/kyverno/pkg/utils" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) // applyPolicy applies policy on a resource func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, - logger logr.Logger, excludeGroupRole []string, resCache resourcecache.ResourceCache, + logger logr.Logger, excludeGroupRole []string, client *client.Client, namespaceLabels map[string]string) (responses []*response.EngineResponse) { startTime := time.Now() @@ -54,7 +53,7 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure logger.Error(err, "unable to add image info to variables context") } - engineResponseMutation, err = mutation(policy, resource, logger, resCache, ctx, namespaceLabels) + engineResponseMutation, err = mutation(policy, resource, logger, ctx, namespaceLabels) if err != nil { logger.Error(err, "failed to process mutation rule") } @@ -63,7 +62,6 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure Policy: policy, NewResource: resource, ExcludeGroupRole: excludeGroupRole, - ResourceCache: resCache, JSONContext: ctx, Client: client, NamespaceLabels: namespaceLabels, @@ -75,12 +73,11 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure return engineResponses } -func mutation(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, log logr.Logger, resCache resourcecache.ResourceCache, jsonContext *context.Context, namespaceLabels map[string]string) (*response.EngineResponse, error) { +func mutation(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, log logr.Logger, jsonContext *context.Context, namespaceLabels map[string]string) (*response.EngineResponse, error) { policyContext := &engine.PolicyContext{ Policy: policy, NewResource: resource, - ResourceCache: resCache, JSONContext: jsonContext, NamespaceLabels: namespaceLabels, } diff --git a/pkg/policy/common.go b/pkg/policy/common.go index 1622dab35e..7f7d4662dd 100644 --- a/pkg/policy/common.go +++ b/pkg/policy/common.go @@ -144,32 +144,6 @@ func GetAllNamespaces(nslister listerv1.NamespaceLister, log logr.Logger) []stri } func (pc *PolicyController) getResourceList(kind, namespace string, labelSelector *metav1.LabelSelector, log logr.Logger) interface{} { - list, err := func() (list []*unstructured.Unstructured, err error) { - var selector labels.Selector - if labelSelector == nil { - selector = labels.Everything() - } else { - if selector, err = metav1.LabelSelectorAsSelector(labelSelector); err != nil { - return nil, err - } - } - - genericCache, _ := pc.resCache.GetGVRCache(kind) - - if namespace != "" { - list, err = genericCache.NamespacedLister(namespace).List(selector) - } else { - list, err = genericCache.Lister().List(selector) - } - return list, err - }() - - if err != nil { - log.V(3).Info("failed to list resource using lister, try to query from the API server", "err", err.Error()) - } else { - return list - } - resourceList, err := pc.client.ListResource("", kind, namespace, labelSelector) if err != nil { log.Error(err, "failed to list resources", "kind", kind, "namespace", namespace) diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go index 91e39ca468..81566396de 100644 --- a/pkg/policy/existing.go +++ b/pkg/policy/existing.go @@ -2,7 +2,6 @@ package policy import ( "errors" - "fmt" "sync" "time" @@ -34,17 +33,6 @@ func (pc *PolicyController) processExistingResources(policy *kyverno.ClusterPoli } } -func (pc *PolicyController) registerResource(gvk string) (err error) { - genericCache, ok := pc.resCache.GetGVRCache(gvk) - if !ok { - if genericCache, err = pc.resCache.CreateGVKInformer(gvk); err != nil { - return fmt.Errorf("failed to create informer for %s: %v", gvk, err) - } - } - pc.rm.RegisterScope(gvk, genericCache.IsNamespaced()) - return nil -} - func (pc *PolicyController) applyAndReportPerNamespace(policy *kyverno.ClusterPolicy, kind string, ns string, rule kyverno.Rule, logger logr.Logger, metricAlreadyRegistered *bool) { rMap := pc.getResourcesPerNamespace(kind, ns, rule, logger) excludeAutoGenResources(*policy, rMap, logger) @@ -90,7 +78,7 @@ func (pc *PolicyController) applyPolicy(policy *kyverno.ClusterPolicy, resource } namespaceLabels := common.GetNamespaceSelectorsFromNamespaceLister(resource.GetKind(), resource.GetNamespace(), pc.nsLister, logger) - engineResponse := applyPolicy(*policy, resource, logger, pc.configHandler.GetExcludeGroupRole(), pc.resCache, pc.client, namespaceLabels) + engineResponse := applyPolicy(*policy, resource, logger, pc.configHandler.GetExcludeGroupRole(), pc.client, namespaceLabels) engineResponses = append(engineResponses, engineResponse...) // post-processing, register the resource as processed @@ -217,11 +205,13 @@ func (pc *PolicyController) processExistingKinds(kind []string, policy *kyverno. logger = logger.WithValues("rule", rule.Name, "kind", k) namespaced, err := pc.rm.GetScope(k) if err != nil { - if err := pc.registerResource(k); err != nil { + resourceSchema, _, err := pc.client.DiscoveryClient.FindResource("", k) + if err != nil { logger.Error(err, "failed to find resource", "kind", k) continue } - namespaced, _ = pc.rm.GetScope(k) + namespaced = resourceSchema.Namespaced + pc.rm.RegisterScope(k, namespaced) } // this tracker would help to ensure that even for multiple namespaces, duplicate metric are not generated @@ -231,6 +221,7 @@ func (pc *PolicyController) processExistingKinds(kind []string, policy *kyverno. pc.applyAndReportPerNamespace(policy, k, "", rule, logger.WithValues("kind", k), &metricRegisteredTracker) continue } + namespaces := pc.getNamespacesForRule(&rule, logger.WithValues("kind", k)) for _, ns := range namespaces { // for kind: Policy, consider only the namespace which the policy belongs to. diff --git a/pkg/policy/generate/validate.go b/pkg/policy/generate/validate.go index 12053b0730..90c7e13ef0 100644 --- a/pkg/policy/generate/validate.go +++ b/pkg/policy/generate/validate.go @@ -89,7 +89,7 @@ func (g *Generate) validateClone(c kyverno.CloneFrom, kind string) (string, erro return "", err } if !ok { - return "", fmt.Errorf("kyverno does not have permissions to 'get' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace) + return "", fmt.Errorf("kyverno does not have permissions to 'get' resource %s/%s. Update permissions in ClusterRole 'kyverno:generate'", kind, namespace) } } else { g.log.V(4).Info("name & namespace uses variables, so cannot be resolved. Skipping Auth Checks.") @@ -109,7 +109,7 @@ func (g *Generate) canIGenerate(kind, namespace string) error { return err } if !ok { - return fmt.Errorf("kyverno does not have permissions to 'create' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace) + return fmt.Errorf("kyverno does not have permissions to 'create' resource %s/%s. Update permissions in ClusterRole 'kyverno:generate'", kind, namespace) } // UPDATE ok, err = authCheck.CanIUpdate(kind, namespace) @@ -118,7 +118,7 @@ func (g *Generate) canIGenerate(kind, namespace string) error { return err } if !ok { - return fmt.Errorf("kyverno does not have permissions to 'update' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace) + return fmt.Errorf("kyverno does not have permissions to 'update' resource %s/%s. Update permissions in ClusterRole 'kyverno:generate'", kind, namespace) } // GET ok, err = authCheck.CanIGet(kind, namespace) @@ -127,7 +127,7 @@ func (g *Generate) canIGenerate(kind, namespace string) error { return err } if !ok { - return fmt.Errorf("kyverno does not have permissions to 'get' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace) + return fmt.Errorf("kyverno does not have permissions to 'get' resource %s/%s. Update permissions in ClusterRole 'kyverno:generate'", kind, namespace) } // DELETE @@ -137,7 +137,7 @@ func (g *Generate) canIGenerate(kind, namespace string) error { return err } if !ok { - return fmt.Errorf("kyverno does not have permissions to 'delete' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace) + return fmt.Errorf("kyverno does not have permissions to 'delete' resource %s/%s. Update permissions in ClusterRole 'kyverno:generate'", kind, namespace) } } else { diff --git a/pkg/policy/policy_controller.go b/pkg/policy/policy_controller.go index 7791bbb6d8..703b4862b1 100644 --- a/pkg/policy/policy_controller.go +++ b/pkg/policy/policy_controller.go @@ -23,7 +23,6 @@ import ( "github.com/kyverno/kyverno/pkg/metrics" pm "github.com/kyverno/kyverno/pkg/policymutation" "github.com/kyverno/kyverno/pkg/policyreport" - "github.com/kyverno/kyverno/pkg/resourcecache" "github.com/kyverno/kyverno/pkg/utils" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" @@ -82,12 +81,6 @@ type PolicyController struct { // npListerSynced returns true if the namespace policy store has been synced at least once npListerSynced cache.InformerSynced - // pvListerSynced returns true if the cluster policy violation store has been synced at least once - cpvListerSynced cache.InformerSynced - - // pvListerSynced returns true if the policy violation store has been synced at least once - nspvListerSynced cache.InformerSynced - // nsListerSynced returns true if the namespace store has been synced at least once nsListerSynced cache.InformerSynced @@ -105,9 +98,6 @@ type PolicyController struct { policyReportEraser policyreport.PolicyReportEraser - // resCache - controls creation and fetching of resource informer cache - resCache resourcecache.ResourceCache - reconcilePeriod time.Duration log logr.Logger @@ -129,7 +119,6 @@ func NewPolicyController( policyReportEraser policyreport.PolicyReportEraser, namespaces informers.NamespaceInformer, log logr.Logger, - resCache resourcecache.ResourceCache, reconcilePeriod time.Duration, promConfig *metrics.PromConfig) (*PolicyController, error) { @@ -153,7 +142,6 @@ func NewPolicyController( configHandler: configHandler, prGenerator: prGenerator, policyReportEraser: policyReportEraser, - resCache: resCache, reconcilePeriod: reconcilePeriod, promConfig: promConfig, log: log, diff --git a/pkg/webhooks/generation.go b/pkg/webhooks/generation.go index 06fa382243..90ace7f468 100644 --- a/pkg/webhooks/generation.go +++ b/pkg/webhooks/generation.go @@ -73,7 +73,6 @@ func (ws *WebhookServer) handleGenerate( AdmissionInfo: userRequestInfo, ExcludeGroupRole: dynamicConfig.GetExcludeGroupRole(), ExcludeResourceFunc: ws.configHandler.ToFilter, - ResourceCache: ws.resCache, JSONContext: ctx, Client: ws.client, } diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index 6b97e4b757..9d20e85085 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -29,7 +29,6 @@ import ( "github.com/kyverno/kyverno/pkg/openapi" "github.com/kyverno/kyverno/pkg/policycache" "github.com/kyverno/kyverno/pkg/policyreport" - "github.com/kyverno/kyverno/pkg/resourcecache" tlsutils "github.com/kyverno/kyverno/pkg/tls" "github.com/kyverno/kyverno/pkg/userinfo" "github.com/kyverno/kyverno/pkg/utils" @@ -122,9 +121,6 @@ type WebhookServer struct { openAPIController *openapi.Controller - // resCache - controls creation and fetching of resource informer cache - resCache resourcecache.ResourceCache - grController *generate.Controller promConfig *metrics.PromConfig @@ -154,7 +150,6 @@ func NewWebhookServer( cleanUp chan<- struct{}, log logr.Logger, openAPIController *openapi.Controller, - resCache resourcecache.ResourceCache, grc *generate.Controller, promConfig *metrics.PromConfig, ) (*WebhookServer, error) { @@ -200,7 +195,6 @@ func NewWebhookServer( auditHandler: auditHandler, log: log, openAPIController: openAPIController, - resCache: resCache, promConfig: promConfig, } @@ -385,7 +379,6 @@ func (ws *WebhookServer) buildPolicyContext(request *v1beta1.AdmissionRequest, a AdmissionInfo: userRequestInfo, ExcludeGroupRole: ws.configHandler.GetExcludeGroupRole(), ExcludeResourceFunc: ws.configHandler.ToFilter, - ResourceCache: ws.resCache, JSONContext: ctx, Client: ws.client, } @@ -551,7 +544,6 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) * AdmissionInfo: userRequestInfo, ExcludeGroupRole: ws.configHandler.GetExcludeGroupRole(), ExcludeResourceFunc: ws.configHandler.ToFilter, - ResourceCache: ws.resCache, JSONContext: ctx, Client: ws.client, } diff --git a/pkg/webhooks/validate_audit.go b/pkg/webhooks/validate_audit.go index e9ad6365d9..b7732bde0f 100644 --- a/pkg/webhooks/validate_audit.go +++ b/pkg/webhooks/validate_audit.go @@ -19,7 +19,6 @@ import ( "github.com/kyverno/kyverno/pkg/metrics" "github.com/kyverno/kyverno/pkg/policycache" "github.com/kyverno/kyverno/pkg/policyreport" - "github.com/kyverno/kyverno/pkg/resourcecache" "github.com/kyverno/kyverno/pkg/userinfo" "k8s.io/api/admission/v1beta1" utilruntime "k8s.io/apimachinery/pkg/util/runtime" @@ -62,7 +61,6 @@ type auditHandler struct { log logr.Logger configHandler config.Interface - resCache resourcecache.ResourceCache promConfig *metrics.PromConfig } @@ -75,7 +73,6 @@ func NewValidateAuditHandler(pCache policycache.Interface, namespaces informers.NamespaceInformer, log logr.Logger, dynamicConfig config.Interface, - resCache resourcecache.ResourceCache, client *client.Client, promConfig *metrics.PromConfig) AuditHandler { @@ -92,7 +89,6 @@ func NewValidateAuditHandler(pCache policycache.Interface, log: log, prGenerator: prGenerator, configHandler: dynamicConfig, - resCache: resCache, client: client, promConfig: promConfig, } @@ -195,7 +191,6 @@ func (h *auditHandler) process(request *v1beta1.AdmissionRequest) error { AdmissionInfo: userRequestInfo, ExcludeGroupRole: h.configHandler.GetExcludeGroupRole(), ExcludeResourceFunc: h.configHandler.ToFilter, - ResourceCache: h.resCache, JSONContext: ctx, Client: h.client, }