mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-01-20 18:52:16 +00:00
Code Activity

remove unnecessary comments and reduce cache resync intervals

Browse source
This commit is contained in:
Jim Bugwadia 2020-05-17 09:51:18 -07:00
parent fa06cace5f
commit bc37d27de6
2 changed files with 40 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
cmd/kyverno/main.go
View file

@ -33,6 +33,8 @@ import (
log "sigs.k8s.io/controller-runtime/pkg/log" log "sigs.k8s.io/controller-runtime/pkg/log"
) )
const resyncPeriod = 15 * time.Minute
var ( var (
kubeconfig string kubeconfig string
serverIP string serverIP string
@ -61,15 +63,11 @@ func main() {
// Generate CSR with CN as FQDN due to https://github.com/nirmata/kyverno/issues/542 // Generate CSR with CN as FQDN due to https://github.com/nirmata/kyverno/issues/542
flag.BoolVar(&fqdncn, "fqdn-as-cn", false, "use FQDN as Common Name in CSR") flag.BoolVar(&fqdncn, "fqdn-as-cn", false, "use FQDN as Common Name in CSR")
flag.Parse() flag.Parse()
version.PrintVersionInfo(log.Log) version.PrintVersionInfo(log.Log)
// cleanUp Channel
cleanUp := make(chan struct{}) cleanUp := make(chan struct{})
// handle os signals
stopCh := signal.SetupSignalHandler() stopCh := signal.SetupSignalHandler()
// CLIENT CONFIG
clientConfig, err := config.CreateClientConfig(kubeconfig, log.Log) clientConfig, err := config.CreateClientConfig(kubeconfig, log.Log)
if err != nil { if err != nil {
setupLog.Error(err, "Failed to build kubeconfig") setupLog.Error(err, "Failed to build kubeconfig")
@ -88,39 +86,31 @@ func main() {
// DYNAMIC CLIENT // DYNAMIC CLIENT
// - client for all registered resources // - client for all registered resources
// - invalidate local cache of registered resource every 10 seconds client, err := dclient.NewClient(clientConfig, 5*time.Minute, stopCh, log.Log)
client, err := dclient.NewClient(clientConfig, 10*time.Second, stopCh, log.Log)
if err != nil { if err != nil {
setupLog.Error(err, "Failed to create client") setupLog.Error(err, "Failed to create client")
os.Exit(1) os.Exit(1)
} }
// CRD CHECK // CRD CHECK
// - verify if the CRD for Policy & PolicyViolation are available // - verify if the CRD for Policy & PolicyViolation are available
if !utils.CRDInstalled(client.DiscoveryClient, log.Log) { if !utils.CRDInstalled(client.DiscoveryClient, log.Log) {
setupLog.Error(fmt.Errorf("pre-requisite CRDs not installed"), "Failed to create watch on kyverno CRDs") setupLog.Error(fmt.Errorf("pre-requisite CRDs not installed"), "Failed to create watch on kyverno CRDs")
os.Exit(1) os.Exit(1)
} }
// KUBERNETES CLIENT
kubeClient, err := utils.NewKubeClient(clientConfig) kubeClient, err := utils.NewKubeClient(clientConfig)
if err != nil { if err != nil {
setupLog.Error(err, "Failed to create kubernetes client") setupLog.Error(err, "Failed to create kubernetes client")
os.Exit(1) os.Exit(1)
} }
// TODO(shuting): To be removed for v1.2.0 // TODO: To be removed for v1.2.0
utils.CleanupOldCrd(client, log.Log) utils.CleanupOldCrd(client, log.Log)
// KUBERNETES RESOURCES INFORMER kubeInformer := kubeinformers.NewSharedInformerFactoryWithOptions(kubeClient, resyncPeriod)
// watches namespace resource kubedynamicInformer := client.NewDynamicSharedInformerFactory(resyncPeriod)
// - cache resync time: 10 seconds
kubeInformer := kubeinformers.NewSharedInformerFactoryWithOptions(
kubeClient,
10*time.Second)
// KUBERNETES Dynamic informer
// - cahce resync time: 10 seconds
kubedynamicInformer := client.NewDynamicSharedInformerFactory(10 * time.Second)
// WERBHOOK REGISTRATION CLIENT
webhookRegistrationClient := webhookconfig.NewWebhookRegistrationClient( webhookRegistrationClient := webhookconfig.NewWebhookRegistrationClient(
clientConfig, clientConfig,
client, client,
@ -143,10 +133,7 @@ func main() {
// watches CRD resources: // watches CRD resources:
// - Policy // - Policy
// - PolicyVolation // - PolicyVolation
// - cache resync time: 10 seconds pInformer := kyvernoinformer.NewSharedInformerFactoryWithOptions(pclient, resyncPeriod)
pInformer := kyvernoinformer.NewSharedInformerFactoryWithOptions(
pclient,
10*time.Second)
// Configuration Data // Configuration Data
// dynamically load the configuration from configMap // dynamically load the configuration from configMap
@ -187,8 +174,7 @@ func main() {
// POLICY CONTROLLER // POLICY CONTROLLER
// - reconciliation policy and policy violation // - reconciliation policy and policy violation
// - process policy on existing resources // - process policy on existing resources
// - status aggregator: receives stats when a policy is applied // - status aggregator: receives stats when a policy is applied & updates the policy status
// & updates the policy status
pc, err := policy.NewPolicyController(pclient, pc, err := policy.NewPolicyController(pclient,
client, client,
pInformer.Kyverno().V1().ClusterPolicies(), pInformer.Kyverno().V1().ClusterPolicies(),
@ -201,6 +187,7 @@ func main() {
rWebhookWatcher, rWebhookWatcher,
log.Log.WithName("PolicyController"), log.Log.WithName("PolicyController"),
) )
if err != nil { if err != nil {
setupLog.Error(err, "Failed to create policy controller") setupLog.Error(err, "Failed to create policy controller")
os.Exit(1) os.Exit(1)
@ -222,6 +209,7 @@ func main() {
statusSync.Listener, statusSync.Listener,
log.Log.WithName("GenerateController"), log.Log.WithName("GenerateController"),
) )
// GENERATE REQUEST CLEANUP // GENERATE REQUEST CLEANUP
// -- cleans up the generate requests that have not been processed(i.e. state = [Pending, Failed]) for more than defined timeout // -- cleans up the generate requests that have not been processed(i.e. state = [Pending, Failed]) for more than defined timeout
grcc := generatecleanup.NewController( grcc := generatecleanup.NewController(
@ -257,7 +245,7 @@ func main() {
} }
// Sync openAPI definitions of resources // Sync openAPI definitions of resources
openApiSync := openapi.NewCRDSync(client, openAPIController) openAPISync := openapi.NewCRDSync(client, openAPIController)
// WEBHOOOK // WEBHOOOK
// - https server to provide endpoints called based on rules defined in Mutating & Validation webhook configuration // - https server to provide endpoints called based on rules defined in Mutating & Validation webhook configuration
@ -284,10 +272,12 @@ func main() {
log.Log.WithName("WebhookServer"), log.Log.WithName("WebhookServer"),
openAPIController, openAPIController,
) )
if err != nil { if err != nil {
setupLog.Error(err, "Failed to create webhook server") setupLog.Error(err, "Failed to create webhook server")
os.Exit(1) os.Exit(1)
} }
// Start the components // Start the components
pInformer.Start(stopCh) pInformer.Start(stopCh)
kubeInformer.Start(stopCh) kubeInformer.Start(stopCh)
@ -302,7 +292,7 @@ func main() {
go grcc.Run(1, stopCh) go grcc.Run(1, stopCh)
go pvgen.Run(1, stopCh) go pvgen.Run(1, stopCh)
go statusSync.Run(1, stopCh) go statusSync.Run(1, stopCh)
openApiSync.Run(1, stopCh) openAPISync.Run(1, stopCh)
// verifys if the admission control is enabled and active // verifys if the admission control is enabled and active
// resync: 60 seconds // resync: 60 seconds
@ -319,8 +309,10 @@ func main() {
defer func() { defer func() {
cancel() cancel()
}() }()
// cleanup webhookconfigurations followed by webhook shutdown // cleanup webhookconfigurations followed by webhook shutdown
server.Stop(ctx) server.Stop(ctx)
// resource cleanup // resource cleanup
// remove webhook configurations // remove webhook configurations
<-cleanUp <-cleanUp

35
pkg/policy/existing.go
View file

@ -53,26 +53,35 @@ func listResources(client *client.Client, policy kyverno.ClusterPolicy, configHa
resourceMap := map[string]unstructured.Unstructured{} resourceMap := map[string]unstructured.Unstructured{}
for _, rule := range policy.Spec.Rules { for _, rule := range policy.Spec.Rules {
// resources that match
for _, k := range rule.MatchResources.Kinds { for _, k := range rule.MatchResources.Kinds {
var namespaces []string
if len(rule.MatchResources.Namespaces) > 0 { resourceSchema, _, err := client.DiscoveryClient.FindResource(k)
namespaces = append(namespaces, rule.MatchResources.Namespaces...) if err != nil {
log.V(4).Info("namespaces included", "namespaces", rule.MatchResources.Namespaces) log.Error(err, "failed to find resource", "kind", k)
} else { continue
log.V(4).Info("processing all namespaces", "rule", rule.Name)
// get all namespaces
namespaces = getAllNamespaces(client, log)
} }
// get resources in the namespaces if !resourceSchema.Namespaced {
for _, ns := range namespaces { rMap := getResourcesPerNamespace(k, client, "", rule, configHandler, log)
rMap := getResourcesPerNamespace(k, client, ns, rule, configHandler, log)
mergeresources(resourceMap, rMap) mergeresources(resourceMap, rMap)
} } else {
var namespaces []string
if len(rule.MatchResources.Namespaces) > 0 {
log.V(4).Info("namespaces included", "namespaces", rule.MatchResources.Namespaces)
namespaces = append(namespaces, rule.MatchResources.Namespaces...)
} else {
log.V(4).Info("processing all namespaces", "rule", rule.Name)
namespaces = getAllNamespaces(client, log)
}
for _, ns := range namespaces {
rMap := getResourcesPerNamespace(k, client, ns, rule, configHandler, log)
mergeresources(resourceMap, rMap)
}
}
} }
} }
return resourceMap return resourceMap
} }