create policy mutating webhook config resouce + refactoring

2025-04-18 02:06:52 +00:00 · 2019-08-27 14:52:56 -07:00 · 2019-08-27 14:52:56 -07:00 · bfb16b0c11
commit bfb16b0c11
parent 6d948e6e15
7 changed files with 500 additions and 353 deletions
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@ -19,6 +19,10 @@ const (
 	PolicyValidatingWebhookConfigurationDebug = "kyverno-policy-validating-webhook-cfg-debug"
 	PolicyValidatingWebhookName               = "nirmata.kyverno.policy-validating-webhook"

+	PolicyMutatingWebhookConfigurationName      = "kyverno-policy-mutating-webhook-cfg"
+	PolicyMutatingWebhookConfigurationDebugName = "kyverno-policy-mutating-webhook-cfg-debug"
+	PolicyMutatingWebhookName                   = "nirmata.kyverno.policy-mutating-webhook"
+
 	// Due to kubernetes issue, we must use next literal constants instead of deployment TypeMeta fields
 	// Issue: https://github.com/kubernetes/kubernetes/pull/63972
 	// When the issue is closed, we should use TypeMeta struct instead of this constants
@ -31,6 +35,7 @@ var (
 	MutatingWebhookServicePath         = "/mutate"
 	ValidatingWebhookServicePath       = "/validate"
 	PolicyValidatingWebhookServicePath = "/policyvalidate"
+	PolicyMutatingWebhookServicePath   = "/policymutate"
 	KubePolicyAppLabels                = map[string]string{
 		"app": "kyverno",
 	}
--- a/pkg/policy/controller.go
+++ b/pkg/policy/controller.go
@ -465,17 +465,17 @@ func (pc *PolicyController) handleWebhookRegistration(delete bool, policy *kyver
 		// check empty policy first, then rule type in terms of O(time)
 		if policies == nil {
 			glog.V(3).Infoln("No policy found in the cluster, deregistering webhook")
-			pc.webhookRegistrationClient.DeregisterMutatingWebhook()
+			pc.webhookRegistrationClient.RemoveResourceMutatingWebhookConfiguration()
 		} else if !HasMutateOrValidatePolicies(policies) {
 			glog.V(3).Infoln("No muatate/validate policy found in the cluster, deregistering webhook")
-			pc.webhookRegistrationClient.DeregisterMutatingWebhook()
+			pc.webhookRegistrationClient.RemoveResourceMutatingWebhookConfiguration()
 		}
 		return nil
 	}

 	if webhookList == nil && HasMutateOrValidate(*policy) {
 		glog.V(3).Infoln("Found policy without mutatingwebhook, registering webhook")
-		pc.webhookRegistrationClient.RegisterMutatingWebhook()
+		pc.webhookRegistrationClient.CreateResourceMutatingWebhookConfiguration()
 	}

 	return nil
--- a/pkg/webhookconfig/common.go
+++ b/pkg/webhookconfig/common.go
@ -0,0 +1,120 @@
+package webhookconfig
+
+import (
+	"io/ioutil"
+
+	"github.com/golang/glog"
+	"github.com/nirmata/kyverno/pkg/config"
+	admregapi "k8s.io/api/admissionregistration/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	rest "k8s.io/client-go/rest"
+)
+
+func (wrc *WebhookRegistrationClient) readCaData() []byte {
+	var caData []byte
+	// Check if ca is defined in the secret tls-ca
+	// assume the key and signed cert have been defined in secret tls.kyverno
+	if caData = wrc.client.ReadRootCASecret(); len(caData) != 0 {
+		glog.V(4).Infof("read CA from secret")
+		return caData
+	}
+	glog.V(4).Infof("failed to read CA from secret, reading from kubeconfig")
+	// load the CA from kubeconfig
+	if caData = extractCA(wrc.clientConfig); len(caData) != 0 {
+		glog.V(4).Infof("read CA from kubeconfig")
+		return caData
+	}
+	glog.V(4).Infof("failed to read CA from kubeconfig")
+	return nil
+}
+
+// ExtractCA used for extraction CA from config
+func extractCA(config *rest.Config) (result []byte) {
+	fileName := config.TLSClientConfig.CAFile
+
+	if fileName != "" {
+		result, err := ioutil.ReadFile(fileName)
+
+		if err != nil {
+			return nil
+		}
+
+		return result
+	}
+
+	return config.TLSClientConfig.CAData
+}
+
+func (wrc *WebhookRegistrationClient) constructOwner() v1.OwnerReference {
+	kubePolicyDeployment, err := wrc.client.GetKubePolicyDeployment()
+
+	if err != nil {
+		glog.Errorf("Error when constructing OwnerReference, err: %v\n", err)
+		return v1.OwnerReference{}
+	}
+
+	return v1.OwnerReference{
+		APIVersion: config.DeploymentAPIVersion,
+		Kind:       config.DeploymentKind,
+		Name:       kubePolicyDeployment.ObjectMeta.Name,
+		UID:        kubePolicyDeployment.ObjectMeta.UID,
+	}
+}
+
+func generateDebugWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook {
+	return admregapi.Webhook{
+		Name: name,
+		ClientConfig: admregapi.WebhookClientConfig{
+			URL:      &url,
+			CABundle: caData,
+		},
+		Rules: []admregapi.RuleWithOperations{
+			admregapi.RuleWithOperations{
+				Operations: operationTypes,
+				Rule: admregapi.Rule{
+					APIGroups: []string{
+						apiGroups,
+					},
+					APIVersions: []string{
+						apiVersions,
+					},
+					Resources: []string{
+						resource,
+					},
+				},
+			},
+		},
+		TimeoutSeconds: &timeoutSeconds,
+	}
+}
+
+func generateWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook {
+	return admregapi.Webhook{
+		Name: name,
+		ClientConfig: admregapi.WebhookClientConfig{
+			Service: &admregapi.ServiceReference{
+				Namespace: config.KubePolicyNamespace,
+				Name:      config.WebhookServiceName,
+				Path:      &servicePath,
+			},
+			CABundle: caData,
+		},
+		Rules: []admregapi.RuleWithOperations{
+			admregapi.RuleWithOperations{
+				Operations: operationTypes,
+				Rule: admregapi.Rule{
+					APIGroups: []string{
+						apiGroups,
+					},
+					APIVersions: []string{
+						apiVersions,
+					},
+					Resources: []string{
+						resource,
+					},
+				},
+			},
+		},
+		TimeoutSeconds: &timeoutSeconds,
+	}
+}
--- a/pkg/webhookconfig/policy.go
+++ b/pkg/webhookconfig/policy.go
@ -0,0 +1,110 @@
+package webhookconfig
+
+import (
+	"fmt"
+
+	"github.com/golang/glog"
+	"github.com/nirmata/kyverno/pkg/config"
+	admregapi "k8s.io/api/admissionregistration/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func (wrc *WebhookRegistrationClient) contructPolicyValidatingWebhookConfig(caData []byte) *admregapi.ValidatingWebhookConfiguration {
+
+	return &admregapi.ValidatingWebhookConfiguration{
+		ObjectMeta: v1.ObjectMeta{
+			Name:   config.PolicyValidatingWebhookConfigurationName,
+			Labels: config.KubePolicyAppLabels,
+			OwnerReferences: []v1.OwnerReference{
+				wrc.constructOwner(),
+			},
+		},
+		Webhooks: []admregapi.Webhook{
+			generateWebhook(
+				config.PolicyValidatingWebhookName,
+				config.PolicyValidatingWebhookServicePath,
+				caData,
+				true,
+				wrc.timeoutSeconds,
+				"policies/*",
+				"kyverno.io",
+				"v1alpha1",
+				[]admregapi.OperationType{admregapi.Create, admregapi.Update},
+			),
+		},
+	}
+}
+
+func (wrc *WebhookRegistrationClient) contructDebugPolicyValidatingWebhookConfig(caData []byte) *admregapi.ValidatingWebhookConfiguration {
+	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.PolicyValidatingWebhookServicePath)
+	glog.V(4).Infof("Debug PolicyValidatingWebhookConfig is registered with url %s\n", url)
+
+	return &admregapi.ValidatingWebhookConfiguration{
+		ObjectMeta: v1.ObjectMeta{
+			Name:   config.PolicyValidatingWebhookConfigurationDebug,
+			Labels: config.KubePolicyAppLabels,
+		},
+		Webhooks: []admregapi.Webhook{
+			generateDebugWebhook(
+				config.PolicyValidatingWebhookName,
+				url,
+				caData,
+				true,
+				wrc.timeoutSeconds,
+				"policies/*",
+				"kyverno.io",
+				"v1alpha1",
+				[]admregapi.OperationType{admregapi.Create},
+			),
+		},
+	}
+}
+
+func (wrc *WebhookRegistrationClient) contructPolicyMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration {
+	return &admregapi.MutatingWebhookConfiguration{
+		ObjectMeta: v1.ObjectMeta{
+			Name:   config.PolicyMutatingWebhookConfigurationName,
+			Labels: config.KubePolicyAppLabels,
+			OwnerReferences: []v1.OwnerReference{
+				wrc.constructOwner(),
+			},
+		},
+		Webhooks: []admregapi.Webhook{
+			generateWebhook(
+				config.PolicyMutatingWebhookName,
+				config.PolicyMutatingWebhookServicePath,
+				caData,
+				true,
+				wrc.timeoutSeconds,
+				"policies/*",
+				"kyverno.io",
+				"v1alpha1",
+				[]admregapi.OperationType{admregapi.Create},
+			),
+		},
+	}
+}
+func (wrc *WebhookRegistrationClient) contructDebugPolicyMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration {
+	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.PolicyValidatingWebhookServicePath)
+	glog.V(4).Infof("Debug PolicyMutatingWebhookConfig is registered with url %s\n", url)
+
+	return &admregapi.MutatingWebhookConfiguration{
+		ObjectMeta: v1.ObjectMeta{
+			Name:   config.PolicyMutatingWebhookConfigurationDebugName,
+			Labels: config.KubePolicyAppLabels,
+		},
+		Webhooks: []admregapi.Webhook{
+			generateDebugWebhook(
+				config.PolicyMutatingWebhookName,
+				url,
+				caData,
+				true,
+				wrc.timeoutSeconds,
+				"policies/*",
+				"kyverno.io",
+				"v1alpha1",
+				[]admregapi.OperationType{admregapi.Create},
+			),
+		},
+	}
+}
--- a/pkg/webhookconfig/registration.go
+++ b/pkg/webhookconfig/registration.go
@ -2,9 +2,6 @@ package webhookconfig

 import (
 	"errors"
-	"fmt"
-	"io/ioutil"
-	"strings"

 	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
@ -56,19 +53,45 @@ func (wrc *WebhookRegistrationClient) Register() error {
 	}

 	// For the case if cluster already has this configs
-	wrc.DeregisterAll()
+	// remove previously create webhookconfigurations if any
+	// webhook configurations are created dynamically based on the policy resources
+	wrc.removeWebhookConfigurations()

-	// register policy validating webhook during inital start
-	return wrc.RegisterPolicyValidatingWebhook()
-}
-
-func (wrc *WebhookRegistrationClient) RegisterMutatingWebhook() error {
-	mutatingWebhookConfig, err := wrc.constructMutatingWebhookConfig(wrc.clientConfig)
-	if err != nil {
+	// Static Webhook configuration on Policy CRD
+	// create Policy CRD validating webhook configuration resource
+	// used for validating Policy CR
+	if err := wrc.createPolicyValidatingWebhookConfiguration(); err != nil {
 		return err
 	}
+	// create Policy CRD validating webhook configuration resource
+	// used for defauling values in Policy CR
+	if err := wrc.createPolicyMutatingWebhookConfiguration(); err != nil {
+		return err
+	}
+	return nil
+}

-	if _, err = wrc.registrationClient.MutatingWebhookConfigurations().Create(mutatingWebhookConfig); err != nil {
+func (wrc *WebhookRegistrationClient) CreateResourceMutatingWebhookConfiguration() error {
+	var caData []byte
+	var config *admregapi.MutatingWebhookConfiguration
+
+	// read CA data from
+	// 1) secret(config)
+	// 2) kubeconfig
+	if caData = wrc.readCaData(); caData == nil {
+		return errors.New("Unable to extract CA data from configuration")
+	}
+	// if serverIP is specified we assume its debug mode
+	if wrc.serverIP != "" {
+		// debug mode
+		// clientConfig - URL
+		config = wrc.contructDebugMutatingWebhookConfig(caData)
+	} else {
+		// clientConfig - service
+		config = wrc.constructMutatingWebhookConfig(caData)
+	}
+
+	if _, err := wrc.registrationClient.MutatingWebhookConfigurations().Create(config); err != nil {
 		return err
 	}

@ -76,13 +99,26 @@ func (wrc *WebhookRegistrationClient) RegisterMutatingWebhook() error {
 	return nil
 }

-func (wrc *WebhookRegistrationClient) RegisterValidatingWebhook() error {
-	validationWebhookConfig, err := wrc.constructValidatingWebhookConfig(wrc.clientConfig)
-	if err != nil {
-		return err
-	}
+func (wrc *WebhookRegistrationClient) CreateResourceValidatingWebhookConfiguration() error {
+	var caData []byte
+	var config *admregapi.ValidatingWebhookConfiguration

-	if _, err = wrc.registrationClient.ValidatingWebhookConfigurations().Create(validationWebhookConfig); err != nil {
+	// read CA data from
+	// 1) secret(config)
+	// 2) kubeconfig
+	if caData = wrc.readCaData(); caData == nil {
+		return errors.New("Unable to extract CA data from configuration")
+	}
+	// if serverIP is specified we assume its debug mode
+	if wrc.serverIP != "" {
+		// debug mode
+		// clientConfig - URL
+		config = wrc.contructDebugValidatingWebhookConfig(caData)
+	} else {
+		// clientConfig - service
+		config = wrc.constructValidatingWebhookConfig(caData)
+	}
+	if _, err := wrc.registrationClient.ValidatingWebhookConfigurations().Create(config); err != nil {
 		return err
 	}

@ -90,56 +126,118 @@ func (wrc *WebhookRegistrationClient) RegisterValidatingWebhook() error {
 	return nil
 }

-func (wrc *WebhookRegistrationClient) RegisterPolicyValidatingWebhook() error {
-	policyValidationWebhookConfig, err := wrc.contructPolicyValidatingWebhookConfig()
-	if err != nil {
+//registerPolicyValidatingWebhookConfiguration create a Validating webhook configuration for Policy CRD
+func (wrc *WebhookRegistrationClient) createPolicyValidatingWebhookConfiguration() error {
+	var caData []byte
+	var config *admregapi.ValidatingWebhookConfiguration
+
+	// read CA data from
+	// 1) secret(config)
+	// 2) kubeconfig
+	if caData = wrc.readCaData(); caData == nil {
+		return errors.New("Unable to extract CA data from configuration")
+	}
+
+	// if serverIP is specified we assume its debug mode
+	if wrc.serverIP != "" {
+		// debug mode
+		// clientConfig - URL
+		config = wrc.contructDebugPolicyValidatingWebhookConfig(caData)
+	} else {
+		// clientConfig - service
+		config = wrc.contructPolicyValidatingWebhookConfig(caData)
+	}
+
+	// create validating webhook configuration resource
+	if _, err := wrc.registrationClient.ValidatingWebhookConfigurations().Create(config); err != nil {
 		return err
 	}

-	if _, err = wrc.registrationClient.ValidatingWebhookConfigurations().Create(policyValidationWebhookConfig); err != nil {
+	glog.V(4).Infof("created Validating Webhook Configuration %s ", config.Name)
+	return nil
+}
+
+func (wrc *WebhookRegistrationClient) createPolicyMutatingWebhookConfiguration() error {
+	var caData []byte
+	var config *admregapi.MutatingWebhookConfiguration
+
+	// read CA data from
+	// 1) secret(config)
+	// 2) kubeconfig
+	if caData = wrc.readCaData(); caData == nil {
+		return errors.New("Unable to extract CA data from configuration")
+	}
+
+	// if serverIP is specified we assume its debug mode
+	if wrc.serverIP != "" {
+		// debug mode
+		// clientConfig - URL
+		config = wrc.contructDebugPolicyMutatingWebhookConfig(caData)
+	} else {
+		// clientConfig - service
+		config = wrc.contructPolicyMutatingWebhookConfig(caData)
+	}
+
+	// create mutating webhook configuration resource
+	if _, err := wrc.registrationClient.MutatingWebhookConfigurations().Create(config); err != nil {
 		return err
 	}

-	glog.V(3).Infoln("Policy validating webhook registered")
+	glog.V(4).Infof("created Mutating Webhook Configuration %s ", config.Name)
 	return nil
 }

 // DeregisterAll deletes webhook configs from cluster
 // This function does not fail on error:
 // Register will fail if the config exists, so there is no need to fail on error
-func (wrc *WebhookRegistrationClient) DeregisterAll() {
-	wrc.DeregisterMutatingWebhook()
-	wrc.deregisterValidatingWebhook()
+func (wrc *WebhookRegistrationClient) removeWebhookConfigurations() {
+	// mutating and validating webhook configuration for Kubernetes resources
+	wrc.RemoveResourceMutatingWebhookConfiguration()
+	wrc.removeResourceValidatingWebhookConfiguration()

+	// mutating and validating webhook configurtion for Policy CRD resource
+	wrc.removePolicyWebhookConfigurations()
+}
+
+// removePolicyWebhookConfigurations removes mutating and validating webhook configurations, if already presnt
+// webhookConfigurations are re-created later
+func (wrc *WebhookRegistrationClient) removePolicyWebhookConfigurations() {
+	// Validating webhook configuration
+	var validatingConfig string
 	if wrc.serverIP != "" {
-		err := wrc.registrationClient.ValidatingWebhookConfigurations().Delete(config.PolicyValidatingWebhookConfigurationDebug, &v1.DeleteOptions{})
-		if err != nil && !errorsapi.IsNotFound(err) {
-			glog.Error(err)
-		}
+		validatingConfig = config.PolicyValidatingWebhookConfigurationDebug
+	} else {
+		validatingConfig = config.PolicyValidatingWebhookConfigurationName
 	}
-	err := wrc.registrationClient.ValidatingWebhookConfigurations().Delete(config.PolicyValidatingWebhookConfigurationName, &v1.DeleteOptions{})
+	glog.V(4).Infof("removing webhook configuration %s", validatingConfig)
+	err := wrc.registrationClient.ValidatingWebhookConfigurations().Delete(validatingConfig, &v1.DeleteOptions{})
 	if err != nil && !errorsapi.IsNotFound(err) {
 		glog.Error(err)
 	}
+
+	// Mutating webhook configuration
+	var mutatingConfig string
+	if wrc.serverIP != "" {
+		mutatingConfig = config.PolicyMutatingWebhookConfigurationDebugName
+	} else {
+		mutatingConfig = config.PolicyMutatingWebhookConfigurationName
+	}
+
+	glog.V(4).Infof("removing webhook configuration %s", mutatingConfig)
+	if err := wrc.registrationClient.MutatingWebhookConfigurations().Delete(mutatingConfig, &v1.DeleteOptions{}); err != nil && !errorsapi.IsNotFound(err) {
+		glog.Error(err)
+	}
 }

-func (wrc *WebhookRegistrationClient) deregister() {
-	wrc.DeregisterMutatingWebhook()
-	wrc.deregisterValidatingWebhook()
-}
-
-func (wrc *WebhookRegistrationClient) DeregisterMutatingWebhook() {
+func (wrc *WebhookRegistrationClient) RemoveResourceMutatingWebhookConfiguration() {
+	var configName string
 	if wrc.serverIP != "" {
-		err := wrc.registrationClient.MutatingWebhookConfigurations().Delete(config.MutatingWebhookConfigurationDebug, &v1.DeleteOptions{})
-		if err != nil && !errorsapi.IsNotFound(err) {
-			glog.Error(err)
-		} else {
-			wrc.MutationRegistered.UnSet()
-		}
-		return
+		configName = config.MutatingWebhookConfigurationDebug
+	} else {
+		configName = config.MutatingWebhookConfigurationName
 	}
-
-	err := wrc.registrationClient.MutatingWebhookConfigurations().Delete(config.MutatingWebhookConfigurationName, &v1.DeleteOptions{})
+	// delete webhook configuration
+	err := wrc.registrationClient.MutatingWebhookConfigurations().Delete(configName, &v1.DeleteOptions{})
 	if err != nil && !errorsapi.IsNotFound(err) {
 		glog.Error(err)
 	} else {
@ -147,313 +245,17 @@ func (wrc *WebhookRegistrationClient) DeregisterMutatingWebhook() {
 	}
 }

-func (wrc *WebhookRegistrationClient) deregisterValidatingWebhook() {
+func (wrc *WebhookRegistrationClient) removeResourceValidatingWebhookConfiguration() {
+	var configName string
 	if wrc.serverIP != "" {
-		err := wrc.registrationClient.ValidatingWebhookConfigurations().Delete(config.ValidatingWebhookConfigurationDebug, &v1.DeleteOptions{})
-		if err != nil && !errorsapi.IsNotFound(err) {
-			glog.Error(err)
-		}
-		wrc.ValidationRegistered.UnSet()
-		return
+		configName = config.ValidatingWebhookConfigurationDebug
+	} else {
+		configName = config.ValidatingWebhookConfigurationName
 	}

-	err := wrc.registrationClient.ValidatingWebhookConfigurations().Delete(config.ValidatingWebhookConfigurationName, &v1.DeleteOptions{})
+	err := wrc.registrationClient.ValidatingWebhookConfigurations().Delete(configName, &v1.DeleteOptions{})
 	if err != nil && !errorsapi.IsNotFound(err) {
 		glog.Error(err)
 	}
 	wrc.ValidationRegistered.UnSet()
 }
-
-func (wrc *WebhookRegistrationClient) constructMutatingWebhookConfig(configuration *rest.Config) (*admregapi.MutatingWebhookConfiguration, error) {
-	var caData []byte
-	// Check if ca is defined in the secret tls-ca
-	// assume the key and signed cert have been defined in secret tls.kyverno
-	caData = wrc.client.ReadRootCASecret()
-	if len(caData) == 0 {
-		// load the CA from kubeconfig
-		caData = extractCA(configuration)
-	}
-	if len(caData) == 0 {
-		return nil, errors.New("Unable to extract CA data from configuration")
-	}
-
-	if wrc.serverIP != "" {
-		return wrc.contructDebugMutatingWebhookConfig(caData), nil
-	}
-
-	return &admregapi.MutatingWebhookConfiguration{
-		ObjectMeta: v1.ObjectMeta{
-			Name:   config.MutatingWebhookConfigurationName,
-			Labels: config.KubePolicyAppLabels,
-			OwnerReferences: []v1.OwnerReference{
-				wrc.constructOwner(),
-			},
-		},
-		Webhooks: []admregapi.Webhook{
-			constructWebhook(
-				config.MutatingWebhookName,
-				config.MutatingWebhookServicePath,
-				caData,
-				false,
-				wrc.timeoutSeconds,
-			),
-		},
-	}, nil
-}
-
-func (wrc *WebhookRegistrationClient) contructDebugMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration {
-	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.MutatingWebhookServicePath)
-	glog.V(3).Infof("Debug MutatingWebhookConfig is registered with url %s\n", url)
-
-	return &admregapi.MutatingWebhookConfiguration{
-		ObjectMeta: v1.ObjectMeta{
-			Name:   config.MutatingWebhookConfigurationDebug,
-			Labels: config.KubePolicyAppLabels,
-		},
-		Webhooks: []admregapi.Webhook{
-			constructDebugWebhook(
-				config.MutatingWebhookName,
-				url,
-				caData,
-				false,
-				wrc.timeoutSeconds),
-		},
-	}
-}
-
-func (wrc *WebhookRegistrationClient) constructValidatingWebhookConfig(configuration *rest.Config) (*admregapi.ValidatingWebhookConfiguration, error) {
-	// Check if ca is defined in the secret tls-ca
-	// assume the key and signed cert have been defined in secret tls.kyverno
-	caData := wrc.client.ReadRootCASecret()
-	if len(caData) == 0 {
-		// load the CA from kubeconfig
-		caData = extractCA(configuration)
-	}
-	if len(caData) == 0 {
-		return nil, errors.New("Unable to extract CA data from configuration")
-	}
-
-	if wrc.serverIP != "" {
-		return wrc.contructDebugValidatingWebhookConfig(caData), nil
-	}
-
-	return &admregapi.ValidatingWebhookConfiguration{
-		ObjectMeta: v1.ObjectMeta{
-			Name:   config.ValidatingWebhookConfigurationName,
-			Labels: config.KubePolicyAppLabels,
-			OwnerReferences: []v1.OwnerReference{
-				wrc.constructOwner(),
-			},
-		},
-		Webhooks: []admregapi.Webhook{
-			constructWebhook(
-				config.ValidatingWebhookName,
-				config.ValidatingWebhookServicePath,
-				caData,
-				true,
-				wrc.timeoutSeconds),
-		},
-	}, nil
-}
-
-func (wrc *WebhookRegistrationClient) contructDebugValidatingWebhookConfig(caData []byte) *admregapi.ValidatingWebhookConfiguration {
-	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.ValidatingWebhookServicePath)
-	glog.V(3).Infof("Debug ValidatingWebhookConfig is registered with url %s\n", url)
-
-	return &admregapi.ValidatingWebhookConfiguration{
-		ObjectMeta: v1.ObjectMeta{
-			Name:   config.ValidatingWebhookConfigurationDebug,
-			Labels: config.KubePolicyAppLabels,
-		},
-		Webhooks: []admregapi.Webhook{
-			constructDebugWebhook(
-				config.ValidatingWebhookName,
-				url,
-				caData,
-				true,
-				wrc.timeoutSeconds),
-		},
-	}
-}
-
-func (wrc *WebhookRegistrationClient) contructPolicyValidatingWebhookConfig() (*admregapi.ValidatingWebhookConfiguration, error) {
-	// Check if ca is defined in the secret tls-ca
-	// assume the key and signed cert have been defined in secret tls.kyverno
-	caData := wrc.client.ReadRootCASecret()
-	if len(caData) == 0 {
-		// load the CA from kubeconfig
-		caData = extractCA(wrc.clientConfig)
-	}
-	if len(caData) == 0 {
-		return nil, errors.New("Unable to extract CA data from configuration")
-	}
-
-	if wrc.serverIP != "" {
-		return wrc.contructDebugPolicyValidatingWebhookConfig(caData), nil
-	}
-
-	return &admregapi.ValidatingWebhookConfiguration{
-		ObjectMeta: v1.ObjectMeta{
-			Name:   config.PolicyValidatingWebhookConfigurationName,
-			Labels: config.KubePolicyAppLabels,
-			OwnerReferences: []v1.OwnerReference{
-				wrc.constructOwner(),
-			},
-		},
-		Webhooks: []admregapi.Webhook{
-			constructWebhook(
-				config.PolicyValidatingWebhookName,
-				config.PolicyValidatingWebhookServicePath,
-				caData,
-				true,
-				wrc.timeoutSeconds),
-		},
-	}, nil
-}
-
-func (wrc *WebhookRegistrationClient) contructDebugPolicyValidatingWebhookConfig(caData []byte) *admregapi.ValidatingWebhookConfiguration {
-	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.PolicyValidatingWebhookServicePath)
-	glog.V(3).Infof("Debug PolicyValidatingWebhookConfig is registered with url %s\n", url)
-
-	return &admregapi.ValidatingWebhookConfiguration{
-		ObjectMeta: v1.ObjectMeta{
-			Name:   config.PolicyValidatingWebhookConfigurationDebug,
-			Labels: config.KubePolicyAppLabels,
-		},
-		Webhooks: []admregapi.Webhook{
-			constructDebugWebhook(
-				config.PolicyValidatingWebhookName,
-				url,
-				caData,
-				true,
-				wrc.timeoutSeconds),
-		},
-	}
-}
-
-func constructWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32) admregapi.Webhook {
-	resource := "*/*"
-	apiGroups := "*"
-	apiversions := "*"
-	if servicePath == config.PolicyValidatingWebhookServicePath {
-		resource = "policies/*"
-		apiGroups = "kyverno.io"
-		apiversions = "v1alpha1"
-	}
-	operationtypes := []admregapi.OperationType{
-		admregapi.Create,
-		admregapi.Update,
-	}
-	// // Add operation DELETE for validation
-	// if validation {
-	// 	operationtypes = append(operationtypes, admregapi.Delete)
-
-	// }
-
-	return admregapi.Webhook{
-		Name: name,
-		ClientConfig: admregapi.WebhookClientConfig{
-			Service: &admregapi.ServiceReference{
-				Namespace: config.KubePolicyNamespace,
-				Name:      config.WebhookServiceName,
-				Path:      &servicePath,
-			},
-			CABundle: caData,
-		},
-		Rules: []admregapi.RuleWithOperations{
-			admregapi.RuleWithOperations{
-				Operations: operationtypes,
-				Rule: admregapi.Rule{
-					APIGroups: []string{
-						apiGroups,
-					},
-					APIVersions: []string{
-						apiversions,
-					},
-					Resources: []string{
-						resource,
-					},
-				},
-			},
-		},
-		TimeoutSeconds: &timeoutSeconds,
-	}
-}
-
-func constructDebugWebhook(name, url string, caData []byte, validation bool, timeoutSeconds int32) admregapi.Webhook {
-	resource := "*/*"
-	apiGroups := "*"
-	apiversions := "*"
-
-	if strings.Contains(url, config.PolicyValidatingWebhookServicePath) {
-		resource = "policies/*"
-		apiGroups = "kyverno.io"
-		apiversions = "v1alpha1"
-	}
-	operationtypes := []admregapi.OperationType{
-		admregapi.Create,
-		admregapi.Update,
-	}
-	// // Add operation DELETE for validation
-	// if validation {
-	// 	operationtypes = append(operationtypes, admregapi.Delete)
-	// }
-
-	return admregapi.Webhook{
-		Name: name,
-		ClientConfig: admregapi.WebhookClientConfig{
-			URL:      &url,
-			CABundle: caData,
-		},
-		Rules: []admregapi.RuleWithOperations{
-			admregapi.RuleWithOperations{
-				Operations: operationtypes,
-				Rule: admregapi.Rule{
-					APIGroups: []string{
-						apiGroups,
-					},
-					APIVersions: []string{
-						apiversions,
-					},
-					Resources: []string{
-						resource,
-					},
-				},
-			},
-		},
-		TimeoutSeconds: &timeoutSeconds,
-	}
-}
-
-func (wrc *WebhookRegistrationClient) constructOwner() v1.OwnerReference {
-	kubePolicyDeployment, err := wrc.client.GetKubePolicyDeployment()
-
-	if err != nil {
-		glog.Errorf("Error when constructing OwnerReference, err: %v\n", err)
-		return v1.OwnerReference{}
-	}
-
-	return v1.OwnerReference{
-		APIVersion: config.DeploymentAPIVersion,
-		Kind:       config.DeploymentKind,
-		Name:       kubePolicyDeployment.ObjectMeta.Name,
-		UID:        kubePolicyDeployment.ObjectMeta.UID,
-	}
-}
-
-// ExtractCA used for extraction CA from config
-func extractCA(config *rest.Config) (result []byte) {
-	fileName := config.TLSClientConfig.CAFile
-
-	if fileName != "" {
-		result, err := ioutil.ReadFile(fileName)
-
-		if err != nil {
-			return nil
-		}
-
-		return result
-	}
-
-	return config.TLSClientConfig.CAData
-}
--- a/pkg/webhookconfig/resource.go
+++ b/pkg/webhookconfig/resource.go
@ -0,0 +1,110 @@
+package webhookconfig
+
+import (
+	"fmt"
+
+	"github.com/golang/glog"
+	"github.com/nirmata/kyverno/pkg/config"
+	admregapi "k8s.io/api/admissionregistration/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func (wrc *WebhookRegistrationClient) contructDebugMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration {
+	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.MutatingWebhookServicePath)
+	glog.V(3).Infof("Debug MutatingWebhookConfig is registered with url %s\n", url)
+
+	return &admregapi.MutatingWebhookConfiguration{
+		ObjectMeta: v1.ObjectMeta{
+			Name:   config.MutatingWebhookConfigurationDebug,
+			Labels: config.KubePolicyAppLabels,
+		},
+		Webhooks: []admregapi.Webhook{
+			generateDebugWebhook(
+				config.MutatingWebhookName,
+				url,
+				caData,
+				true,
+				wrc.timeoutSeconds,
+				"*/*",
+				"*",
+				"*",
+				[]admregapi.OperationType{admregapi.Create},
+			),
+		},
+	}
+}
+
+func (wrc *WebhookRegistrationClient) constructMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration {
+	return &admregapi.MutatingWebhookConfiguration{
+		ObjectMeta: v1.ObjectMeta{
+			Name:   config.MutatingWebhookConfigurationName,
+			Labels: config.KubePolicyAppLabels,
+			OwnerReferences: []v1.OwnerReference{
+				wrc.constructOwner(),
+			},
+		},
+		Webhooks: []admregapi.Webhook{
+			generateWebhook(
+				config.MutatingWebhookName,
+				config.MutatingWebhookServicePath,
+				caData,
+				false,
+				wrc.timeoutSeconds,
+				"*/*",
+				"*",
+				"*",
+				[]admregapi.OperationType{admregapi.Create},
+			),
+		},
+	}
+}
+
+func (wrc *WebhookRegistrationClient) constructValidatingWebhookConfig(caData []byte) *admregapi.ValidatingWebhookConfiguration {
+	return &admregapi.ValidatingWebhookConfiguration{
+		ObjectMeta: v1.ObjectMeta{
+			Name:   config.ValidatingWebhookConfigurationName,
+			Labels: config.KubePolicyAppLabels,
+			OwnerReferences: []v1.OwnerReference{
+				wrc.constructOwner(),
+			},
+		},
+		Webhooks: []admregapi.Webhook{
+			generateWebhook(
+				config.ValidatingWebhookName,
+				config.ValidatingWebhookServicePath,
+				caData,
+				true,
+				wrc.timeoutSeconds,
+				"*/*",
+				"*",
+				"*",
+				[]admregapi.OperationType{admregapi.Create},
+			),
+		},
+	}
+}
+
+func (wrc *WebhookRegistrationClient) contructDebugValidatingWebhookConfig(caData []byte) *admregapi.ValidatingWebhookConfiguration {
+	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.ValidatingWebhookServicePath)
+	glog.V(3).Infof("Debug ValidatingWebhookConfig is registered with url %s\n", url)
+
+	return &admregapi.ValidatingWebhookConfiguration{
+		ObjectMeta: v1.ObjectMeta{
+			Name:   config.ValidatingWebhookConfigurationDebug,
+			Labels: config.KubePolicyAppLabels,
+		},
+		Webhooks: []admregapi.Webhook{
+			generateDebugWebhook(
+				config.ValidatingWebhookName,
+				url,
+				caData,
+				true,
+				wrc.timeoutSeconds,
+				"*/*",
+				"*",
+				"*",
+				[]admregapi.OperationType{admregapi.Create},
+			),
+		},
+	}
+}
--- a/pkg/webhooks/webhookManager.go
+++ b/pkg/webhooks/webhookManager.go
@ -33,7 +33,7 @@ func (ws *WebhookServer) registerWebhookConfigurations(policy kyverno.Policy) er
 	}

 	if !ws.webhookRegistrationClient.MutationRegistered.IsSet() {
-		if err := ws.webhookRegistrationClient.RegisterMutatingWebhook(); err != nil {
+		if err := ws.webhookRegistrationClient.CreateResourceMutatingWebhookConfiguration(); err != nil {
 			return err
 		}
 		glog.Infof("Mutating webhook registered")
@ -47,7 +47,7 @@ func (ws *WebhookServer) deregisterWebhookConfigurations(policy kyverno.Policy)

 	// deregister webhook if no mutate/validate policy found in cluster
 	if !HasMutateOrValidatePolicies(policies) {
-		ws.webhookRegistrationClient.DeregisterMutatingWebhook()
+		ws.webhookRegistrationClient.RemoveResourceMutatingWebhookConfiguration()
 		glog.Infoln("Mutating webhook deregistered")
 	}