refactor: admission metrics (counter and latency) (#5245)

* refactor: move all middlewares in handlers sub package Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: admission metrics (counter and latency) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * builder Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-29 02:45:06 +00:00 · 2022-11-09 11:52:20 +01:00 · 2022-11-09 11:52:20 +01:00 · cc8f643767
commit cc8f643767
parent 83235ed10d
14 changed files with 127 additions and 195 deletions
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@ -756,6 +756,7 @@ func main() {
 		policyHandlers,
 		resourceHandlers,
 		configuration,
+		metricsConfig,
 		webhooks.DebugModeOptions{
 			DumpPayload: dumpPayload,
 		},
--- a/pkg/metrics/admissionrequests/admissionRequests.go
+++ b/pkg/metrics/admissionrequests/admissionRequests.go
@ -2,52 +2,27 @@ package admissionrequests

 import (
 	"fmt"
+	"strings"

-	"github.com/kyverno/kyverno/pkg/engine/response"
 	"github.com/kyverno/kyverno/pkg/metrics"
 	"github.com/kyverno/kyverno/pkg/utils"
+	admissionv1 "k8s.io/api/admission/v1"
 )

-func registerAdmissionRequestsMetric(
-	m *metrics.MetricsConfig,
-	resourceKind, resourceNamespace string,
-	resourceRequestOperation metrics.ResourceRequestOperation,
-) error {
+func registerAdmissionRequestsMetric(m *metrics.MetricsConfig, resourceKind, resourceNamespace string, resourceRequestOperation metrics.ResourceRequestOperation) {
 	includeNamespaces, excludeNamespaces := m.Config.GetIncludeNamespaces(), m.Config.GetExcludeNamespaces()
 	if (resourceNamespace != "" && resourceNamespace != "-") && utils.ContainsString(excludeNamespaces, resourceNamespace) {
 		m.Log.V(2).Info(fmt.Sprintf("Skipping the registration of kyverno_admission_requests_total metric as the operation belongs to the namespace '%s' which is one of 'namespaces.exclude' %+v in values.yaml", resourceNamespace, excludeNamespaces))
-		return nil
+		return
 	}
 	if (resourceNamespace != "" && resourceNamespace != "-") && len(includeNamespaces) > 0 && !utils.ContainsString(includeNamespaces, resourceNamespace) {
 		m.Log.V(2).Info(fmt.Sprintf("Skipping the registration of kyverno_admission_requests_total metric as the operation belongs to the namespace '%s' which is not one of 'namespaces.include' %+v in values.yaml", resourceNamespace, includeNamespaces))
-		return nil
+		return
 	}
-
 	m.RecordAdmissionRequests(resourceKind, resourceNamespace, resourceRequestOperation)
-
-	return nil
 }

-func ProcessEngineResponses(m *metrics.MetricsConfig, engineResponses []*response.EngineResponse, resourceRequestOperation metrics.ResourceRequestOperation) error {
-	if len(engineResponses) == 0 {
-		return nil
-	}
-	resourceNamespace, resourceKind := engineResponses[0].PolicyResponse.Resource.Namespace, engineResponses[0].PolicyResponse.Resource.Kind
-	validateRulesCount, mutateRulesCount, generateRulesCount := 0, 0, 0
-	for _, e := range engineResponses {
-		for _, rule := range e.PolicyResponse.Rules {
-			switch rule.Type {
-			case "Validation":
-				validateRulesCount++
-			case "Mutation":
-				mutateRulesCount++
-			case "Generation":
-				generateRulesCount++
-			}
-		}
-	}
-	if validateRulesCount == 0 && mutateRulesCount == 0 && generateRulesCount == 0 {
-		return nil
-	}
-	return registerAdmissionRequestsMetric(m, resourceKind, resourceNamespace, resourceRequestOperation)
+func Process(m *metrics.MetricsConfig, request *admissionv1.AdmissionRequest) {
+	op := strings.ToLower(string(request.Operation))
+	registerAdmissionRequestsMetric(m, request.Kind.Kind, request.Namespace, metrics.ResourceRequestOperation(op))
 }
--- a/pkg/metrics/admissionreviewduration/admissionReviewDuration.go
+++ b/pkg/metrics/admissionreviewduration/admissionReviewDuration.go
@ -2,54 +2,28 @@ package admissionreviewduration

 import (
 	"fmt"
+	"strings"

-	"github.com/kyverno/kyverno/pkg/engine/response"
 	"github.com/kyverno/kyverno/pkg/metrics"
 	"github.com/kyverno/kyverno/pkg/utils"
+	admissionv1 "k8s.io/api/admission/v1"
 )

-func registerAdmissionReviewDurationMetric(
-	m *metrics.MetricsConfig,
-	resourceKind, resourceNamespace string,
-	resourceRequestOperation metrics.ResourceRequestOperation,
-	admissionRequestLatency float64,
-) error {
+func registerAdmissionReviewDurationMetric(m *metrics.MetricsConfig, resourceKind, resourceNamespace string, resourceRequestOperation metrics.ResourceRequestOperation, admissionRequestLatency float64) {
 	includeNamespaces, excludeNamespaces := m.Config.GetIncludeNamespaces(), m.Config.GetExcludeNamespaces()
 	if (resourceNamespace != "" && resourceNamespace != "-") && utils.ContainsString(excludeNamespaces, resourceNamespace) {
 		m.Log.V(2).Info(fmt.Sprintf("Skipping the registration of kyverno_admission_review_duration_seconds metric as the operation belongs to the namespace '%s' which is one of 'namespaces.exclude' %+v in values.yaml", resourceNamespace, excludeNamespaces))
-		return nil
+		return
 	}
 	if (resourceNamespace != "" && resourceNamespace != "-") && len(includeNamespaces) > 0 && !utils.ContainsString(includeNamespaces, resourceNamespace) {
 		m.Log.V(2).Info(fmt.Sprintf("Skipping the registration of kyverno_admission_review_duration_seconds metric as the operation belongs to the namespace '%s' which is not one of 'namespaces.include' %+v in values.yaml", resourceNamespace, includeNamespaces))
-		return nil
+		return
 	}
-
 	m.RecordAdmissionReviewDuration(resourceKind, resourceNamespace, string(resourceRequestOperation), admissionRequestLatency)
-
-	return nil
 }

-func ProcessEngineResponses(m *metrics.MetricsConfig, engineResponses []*response.EngineResponse, admissionReviewLatencyDuration int64, resourceRequestOperation metrics.ResourceRequestOperation) error {
-	if len(engineResponses) == 0 {
-		return nil
-	}
-	resourceNamespace, resourceKind := engineResponses[0].PolicyResponse.Resource.Namespace, engineResponses[0].PolicyResponse.Resource.Kind
-	validateRulesCount, mutateRulesCount, generateRulesCount := 0, 0, 0
-	for _, e := range engineResponses {
-		for _, rule := range e.PolicyResponse.Rules {
-			switch rule.Type {
-			case "Validation":
-				validateRulesCount++
-			case "Mutation":
-				mutateRulesCount++
-			case "Generation":
-				generateRulesCount++
-			}
-		}
-	}
-	if validateRulesCount == 0 && mutateRulesCount == 0 && generateRulesCount == 0 {
-		return nil
-	}
-	admissionReviewLatencyDurationInSeconds := float64(admissionReviewLatencyDuration) / float64(1000*1000*1000)
-	return registerAdmissionReviewDurationMetric(m, resourceKind, resourceNamespace, resourceRequestOperation, admissionReviewLatencyDurationInSeconds)
+func Process(m *metrics.MetricsConfig, request *admissionv1.AdmissionRequest, latency int64) {
+	op := strings.ToLower(string(request.Operation))
+	admissionReviewLatencyDurationInSeconds := float64(latency) / float64(1000*1000*1000)
+	registerAdmissionReviewDurationMetric(m, request.Kind.Kind, request.Namespace, metrics.ResourceRequestOperation(op), admissionReviewLatencyDurationInSeconds)
 }
--- a/pkg/webhooks/handlers/admission.go
+++ b/pkg/webhooks/handlers/admission.go
@ -15,7 +15,11 @@ import (

 type AdmissionHandler func(logr.Logger, *admissionv1.AdmissionRequest, time.Time) *admissionv1.AdmissionResponse

-func Admission(logger logr.Logger, inner AdmissionHandler) http.HandlerFunc {
+func (h AdmissionHandler) WithAdmission(logger logr.Logger) http.HandlerFunc {
+	return withAdmission(logger, h)
+}
+
+func withAdmission(logger logr.Logger, inner AdmissionHandler) http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		ctx := request.Context()
 		startTime := time.Now()
--- a/pkg/webhooks/handlers/dump.go
+++ b/pkg/webhooks/handlers/dump.go
@ -93,7 +93,14 @@ func redactPayload(payload *admissionRequestPayload) (*admissionRequestPayload,
 	return payload, nil
 }

-func Dump(inner AdmissionHandler) AdmissionHandler {
+func (h AdmissionHandler) WithDump(enabled bool) AdmissionHandler {
+	if !enabled {
+		return h
+	}
+	return withDump(h)
+}
+
+func withDump(inner AdmissionHandler) AdmissionHandler {
 	return func(logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
 		response := inner(logger, request, startTime)
 		dumpPayload(logger, request, response)
--- a/pkg/webhooks/handlers/filter.go
+++ b/pkg/webhooks/handlers/filter.go
@ -8,7 +8,11 @@ import (
 	admissionv1 "k8s.io/api/admission/v1"
 )

-func Filter(c config.Configuration, inner AdmissionHandler) AdmissionHandler {
+func (h AdmissionHandler) WithFilter(configuration config.Configuration) AdmissionHandler {
+	return withFilter(configuration, h)
+}
+
+func withFilter(c config.Configuration, inner AdmissionHandler) AdmissionHandler {
 	return func(logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
 		if c.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
 			return nil
--- a/pkg/webhooks/handlers/metrics.go
+++ b/pkg/webhooks/handlers/metrics.go
@ -0,0 +1,23 @@
+package handlers
+
+import (
+	"time"
+
+	"github.com/go-logr/logr"
+	"github.com/kyverno/kyverno/pkg/metrics"
+	admissionRequests "github.com/kyverno/kyverno/pkg/metrics/admissionrequests"
+	admissionReviewDuration "github.com/kyverno/kyverno/pkg/metrics/admissionreviewduration"
+	admissionv1 "k8s.io/api/admission/v1"
+)
+
+func (h AdmissionHandler) WithMetrics(metricsConfig *metrics.MetricsConfig) AdmissionHandler {
+	return withMetrics(metricsConfig, h)
+}
+
+func withMetrics(metricsConfig *metrics.MetricsConfig, inner AdmissionHandler) AdmissionHandler {
+	return func(logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
+		defer admissionReviewDuration.Process(metricsConfig, request, int64(time.Since(startTime)))
+		admissionRequests.Process(metricsConfig, request)
+		return inner(logger, request, startTime)
+	}
+}
--- a/pkg/webhooks/handlers/protect.go
+++ b/pkg/webhooks/handlers/protect.go
@ -14,7 +14,14 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )

-func Protect(inner AdmissionHandler) AdmissionHandler {
+func (h AdmissionHandler) WithProtection(enabled bool) AdmissionHandler {
+	if !enabled {
+		return h
+	}
+	return withProtection(h)
+}
+
+func withProtection(inner AdmissionHandler) AdmissionHandler {
 	return func(logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
 		newResource, oldResource, err := utils.ExtractResources(nil, request)
 		if err != nil {
--- a/pkg/webhooks/resource/generation/generation.go
+++ b/pkg/webhooks/resource/generation/generation.go
@ -38,9 +38,6 @@ type GenerationHandler interface {
 		[]kyvernov1.PolicyInterface,
 		*engine.PolicyContext,
 		time.Time,
-		*chan int64,
-		*chan []*response.EngineResponse,
-		*chan []*response.EngineResponse,
 	)
 }

@ -84,9 +81,6 @@ func (h *generationHandler) Handle(
 	policies []kyvernov1.PolicyInterface,
 	policyContext *engine.PolicyContext,
 	admissionRequestTimestamp time.Time,
-	latencySender *chan int64,
-	generateEngineResponsesSenderForAdmissionReviewDurationMetric *chan []*response.EngineResponse,
-	generateEngineResponsesSenderForAdmissionRequestsCountMetric *chan []*response.EngineResponse,
 ) {
 	h.log.V(6).Info("update request")

@ -132,12 +126,6 @@ func (h *generationHandler) Handle(
 	if request.Operation == admissionv1.Update {
 		h.HandleUpdatesForGenerateRules(request, policies)
 	}
-
-	// sending the admission request latency to other goroutine (reporting the metrics) over the channel
-	admissionReviewLatencyDuration := int64(time.Since(admissionRequestTimestamp))
-	*latencySender <- admissionReviewLatencyDuration
-	*generateEngineResponsesSenderForAdmissionReviewDurationMetric <- engineResponses
-	*generateEngineResponsesSenderForAdmissionRequestsCountMetric <- engineResponses
 }

 // HandleUpdatesForGenerateRules handles admission-requests for update
--- a/pkg/webhooks/resource/mutation/mutation.go
+++ b/pkg/webhooks/resource/mutation/mutation.go
@ -70,13 +70,7 @@ func (h *mutationHandler) HandleMutation(
 	if err != nil {
 		return nil, nil, err
 	}
-
 	h.log.V(6).Info("", "generated patches", string(mutatePatches))
-
-	admissionReviewLatencyDuration := int64(time.Since(admissionRequestTimestamp))
-	go webhookutils.RegisterAdmissionReviewDurationMetricMutate(h.log, metricsConfig, string(request.Operation), mutateEngineResponses, admissionReviewLatencyDuration)
-	go webhookutils.RegisterAdmissionRequestsMetricMutate(h.log, metricsConfig, string(request.Operation), mutateEngineResponses)
-
 	return mutatePatches, webhookutils.GetWarningMessages(mutateEngineResponses), nil
 }

--- a/pkg/webhooks/resource/updaterequest.go
+++ b/pkg/webhooks/resource/updaterequest.go
@ -17,16 +17,9 @@ import (

 // createUpdateRequests applies generate and mutateExisting policies, and creates update requests for background reconcile
 func (h *handlers) createUpdateRequests(logger logr.Logger, request *admissionv1.AdmissionRequest, policyContext *engine.PolicyContext, generatePolicies, mutatePolicies []kyvernov1.PolicyInterface, ts time.Time) {
-	admissionReviewCompletionLatencyChannel := make(chan int64, 1)
-	generateEngineResponsesSenderForAdmissionReviewDurationMetric := make(chan []*response.EngineResponse, 1)
-	generateEngineResponsesSenderForAdmissionRequestsCountMetric := make(chan []*response.EngineResponse, 1)
-
 	gh := generation.NewGenerationHandler(logger, h.client, h.kyvernoClient, h.nsLister, h.urLister, h.urGenerator, h.urUpdater, h.eventGen)
 	go h.handleMutateExisting(logger, request, mutatePolicies, policyContext, ts)
-	go gh.Handle(h.metricsConfig, request, generatePolicies, policyContext, ts, &admissionReviewCompletionLatencyChannel, &generateEngineResponsesSenderForAdmissionReviewDurationMetric, &generateEngineResponsesSenderForAdmissionRequestsCountMetric)
-
-	go webhookutils.RegisterAdmissionReviewDurationMetricGenerate(logger, h.metricsConfig, string(request.Operation), &admissionReviewCompletionLatencyChannel, &generateEngineResponsesSenderForAdmissionReviewDurationMetric)
-	go webhookutils.RegisterAdmissionRequestsMetricGenerate(logger, h.metricsConfig, string(request.Operation), &generateEngineResponsesSenderForAdmissionRequestsCountMetric)
+	go gh.Handle(h.metricsConfig, request, generatePolicies, policyContext, ts)
 }

 func (h *handlers) handleMutateExisting(logger logr.Logger, request *admissionv1.AdmissionRequest, policies []kyvernov1.PolicyInterface, policyContext *engine.PolicyContext, admissionRequestTimestamp time.Time) {
@ -75,8 +68,4 @@ func (h *handlers) handleMutateExisting(logger logr.Logger, request *admissionv1
 			h.eventGen.Add(events...)
 		}
 	}
-
-	admissionReviewLatencyDuration := int64(time.Since(admissionRequestTimestamp))
-	go webhookutils.RegisterAdmissionReviewDurationMetricMutate(logger, h.metricsConfig, string(request.Operation), engineResponses, admissionReviewLatencyDuration)
-	go webhookutils.RegisterAdmissionRequestsMetricMutate(logger, h.metricsConfig, string(request.Operation), engineResponses)
 }
--- a/pkg/webhooks/resource/validation/validation.go
+++ b/pkg/webhooks/resource/validation/validation.go
@ -123,23 +123,15 @@ func (v *validationHandler) HandleValidation(

 	if blocked {
 		logger.V(4).Info("admission request blocked")
-		v.generateMetrics(request, admissionRequestTimestamp, engineResponses, metricsConfig, logger)
 		return false, webhookutils.GetBlockedMessages(engineResponses), nil
 	}

-	v.generateMetrics(request, admissionRequestTimestamp, engineResponses, metricsConfig, logger)
 	go v.handleAudit(policyContext.NewResource, request, namespaceLabels, engineResponses...)

 	warnings := webhookutils.GetWarningMessages(engineResponses)
 	return true, "", warnings
 }

-func (v *validationHandler) generateMetrics(request *admissionv1.AdmissionRequest, admissionRequestTimestamp time.Time, engineResponses []*response.EngineResponse, metricsConfig *metrics.MetricsConfig, logger logr.Logger) {
-	admissionReviewLatencyDuration := int64(time.Since(admissionRequestTimestamp))
-	go webhookutils.RegisterAdmissionReviewDurationMetricValidate(logger, metricsConfig, string(request.Operation), engineResponses, admissionReviewLatencyDuration)
-	go webhookutils.RegisterAdmissionRequestsMetricValidate(logger, metricsConfig, string(request.Operation), engineResponses)
-}
-
 func (v *validationHandler) buildAuditResponses(resource unstructured.Unstructured, request *admissionv1.AdmissionRequest, namespaceLabels map[string]string) ([]*response.EngineResponse, error) {
 	policies := v.pCache.GetPolicies(policycache.ValidateAudit, request.Kind.Kind, request.Namespace)
 	policyContext, err := v.pcBuilder.Build(request, policies...)
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -10,6 +10,7 @@ import (
 	"github.com/julienschmidt/httprouter"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/logging"
+	"github.com/kyverno/kyverno/pkg/metrics"
 	"github.com/kyverno/kyverno/pkg/toggle"
 	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
 	runtimeutils "github.com/kyverno/kyverno/pkg/utils/runtime"
@ -66,6 +67,7 @@ func NewServer(
 	policyHandlers PolicyHandlers,
 	resourceHandlers ResourceHandlers,
 	configuration config.Configuration,
+	metricsConfig *metrics.MetricsConfig,
 	debugModeOpts DebugModeOptions,
 	tlsProvider TlsProvider,
 	mwcClient controllerutils.DeleteClient[*admissionregistrationv1.MutatingWebhookConfiguration],
@ -77,11 +79,32 @@ func NewServer(
 	resourceLogger := logger.WithName("resource")
 	policyLogger := logger.WithName("policy")
 	verifyLogger := logger.WithName("verify")
-	registerWebhookHandlers(resourceLogger.WithName("mutate"), mux, config.MutatingWebhookServicePath, configuration, resourceHandlers.Mutate, debugModeOpts)
-	registerWebhookHandlers(resourceLogger.WithName("validate"), mux, config.ValidatingWebhookServicePath, configuration, resourceHandlers.Validate, debugModeOpts)
-	mux.HandlerFunc("POST", config.PolicyMutatingWebhookServicePath, admission(policyLogger.WithName("mutate"), filter(configuration, policyHandlers.Mutate), debugModeOpts))
-	mux.HandlerFunc("POST", config.PolicyValidatingWebhookServicePath, admission(policyLogger.WithName("validate"), filter(configuration, policyHandlers.Validate), debugModeOpts))
-	mux.HandlerFunc("POST", config.VerifyMutatingWebhookServicePath, admission(verifyLogger.WithName("mutate"), handlers.Verify(), DebugModeOptions{}))
+	registerWebhookHandlers(resourceLogger.WithName("mutate"), mux, config.MutatingWebhookServicePath, configuration, metricsConfig, resourceHandlers.Mutate, debugModeOpts)
+	registerWebhookHandlers(resourceLogger.WithName("validate"), mux, config.ValidatingWebhookServicePath, configuration, metricsConfig, resourceHandlers.Validate, debugModeOpts)
+	mux.HandlerFunc(
+		"POST",
+		config.PolicyMutatingWebhookServicePath,
+		handlers.AdmissionHandler(policyHandlers.Mutate).
+			WithFilter(configuration).
+			WithDump(debugModeOpts.DumpPayload).
+			WithMetrics(metricsConfig).
+			WithAdmission(policyLogger.WithName("mutate")),
+	)
+	mux.HandlerFunc(
+		"POST",
+		config.PolicyValidatingWebhookServicePath,
+		handlers.AdmissionHandler(policyHandlers.Validate).
+			WithFilter(configuration).
+			WithDump(debugModeOpts.DumpPayload).
+			WithMetrics(metricsConfig).
+			WithAdmission(policyLogger.WithName("validate")),
+	)
+	mux.HandlerFunc(
+		"POST",
+		config.VerifyMutatingWebhookServicePath,
+		handlers.Verify().
+			WithAdmission(verifyLogger.WithName("mutate")),
+	)
 	mux.HandlerFunc("GET", config.LivenessServicePath, handlers.Probe(runtime.IsLive))
 	mux.HandlerFunc("GET", config.ReadinessServicePath, handlers.Probe(runtime.IsReady))
 	return &server{
@ -170,53 +193,49 @@ func (s *server) cleanup(ctx context.Context) {
 	close(s.cleanUp)
 }

-func dump(inner handlers.AdmissionHandler, debugModeOpts DebugModeOptions) handlers.AdmissionHandler {
-	// debug mode not enabled, no need to add debug middleware
-	if !debugModeOpts.DumpPayload {
-		return inner
-	}
-	return handlers.Dump(inner)
-}
-
-func protect(inner handlers.AdmissionHandler) handlers.AdmissionHandler {
-	if !toggle.ProtectManagedResources.Enabled() {
-		return inner
-	}
-	return handlers.Protect(inner)
-}
-
-func filter(configuration config.Configuration, inner handlers.AdmissionHandler) handlers.AdmissionHandler {
-	return handlers.Filter(configuration, inner)
-}
-
-func admission(logger logr.Logger, inner handlers.AdmissionHandler, debugModeOpts DebugModeOptions) http.HandlerFunc {
-	return handlers.Admission(logger, dump(protect(inner), debugModeOpts))
-}
-
 func registerWebhookHandlers(
 	logger logr.Logger,
 	mux *httprouter.Router,
 	basePath string,
 	configuration config.Configuration,
+	metricsConfig *metrics.MetricsConfig,
 	handlerFunc func(logr.Logger, *admissionv1.AdmissionRequest, string, time.Time) *admissionv1.AdmissionResponse,
 	debugModeOpts DebugModeOptions,
 ) {
-	mux.HandlerFunc("POST", basePath, admission(logger, filter(
-		configuration,
-		func(logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
+	mux.HandlerFunc(
+		"POST",
+		basePath,
+		handlers.AdmissionHandler(func(logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
 			return handlerFunc(logger, request, "all", startTime)
-		}), debugModeOpts),
+		}).
+			WithFilter(configuration).
+			WithProtection(toggle.ProtectManagedResources.Enabled()).
+			WithDump(debugModeOpts.DumpPayload).
+			WithMetrics(metricsConfig).
+			WithAdmission(logger),
 	)
-	mux.HandlerFunc("POST", basePath+"/fail", admission(logger, filter(
-		configuration,
-		func(logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
+	mux.HandlerFunc(
+		"POST",
+		basePath+"/fail",
+		handlers.AdmissionHandler(func(logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
 			return handlerFunc(logger, request, "fail", startTime)
-		}), debugModeOpts),
+		}).
+			WithFilter(configuration).
+			WithProtection(toggle.ProtectManagedResources.Enabled()).
+			WithDump(debugModeOpts.DumpPayload).
+			WithMetrics(metricsConfig).
+			WithAdmission(logger),
 	)
-	mux.HandlerFunc("POST", basePath+"/ignore", admission(logger, filter(
-		configuration,
-		func(logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
+	mux.HandlerFunc(
+		"POST",
+		basePath+"/ignore",
+		handlers.AdmissionHandler(func(logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
 			return handlerFunc(logger, request, "ignore", startTime)
-		}), debugModeOpts),
+		}).
+			WithFilter(configuration).
+			WithProtection(toggle.ProtectManagedResources.Enabled()).
+			WithDump(debugModeOpts.DumpPayload).
+			WithMetrics(metricsConfig).
+			WithAdmission(logger),
 	)
 }
--- a/pkg/webhooks/utils/metrics.go
+++ b/pkg/webhooks/utils/metrics.go
@ -7,8 +7,6 @@ import (
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	"github.com/kyverno/kyverno/pkg/engine/response"
 	"github.com/kyverno/kyverno/pkg/metrics"
-	admissionRequests "github.com/kyverno/kyverno/pkg/metrics/admissionrequests"
-	admissionReviewDuration "github.com/kyverno/kyverno/pkg/metrics/admissionreviewduration"
 	policyExecutionDuration "github.com/kyverno/kyverno/pkg/metrics/policyexecutionduration"
 	policyResults "github.com/kyverno/kyverno/pkg/metrics/policyresults"
 )
@ -25,49 +23,6 @@ func registerMetric(logger logr.Logger, m string, requestOperation string, r rep
 	}
 }

-// ADMISSION REVIEW
-
-func RegisterAdmissionReviewDurationMetricMutate(logger logr.Logger, metricsConfig *metrics.MetricsConfig, requestOperation string, engineResponses []*response.EngineResponse, admissionReviewLatencyDuration int64) {
-	registerMetric(logger, "kyverno_admission_review_duration_seconds", requestOperation, func(op metrics.ResourceRequestOperation) error {
-		return admissionReviewDuration.ProcessEngineResponses(metricsConfig, engineResponses, admissionReviewLatencyDuration, op)
-	})
-}
-
-func RegisterAdmissionReviewDurationMetricGenerate(logger logr.Logger, metricsConfig *metrics.MetricsConfig, requestOperation string, latencyReceiver *chan int64, engineResponsesReceiver *chan []*response.EngineResponse) {
-	defer close(*latencyReceiver)
-	defer close(*engineResponsesReceiver)
-	registerMetric(logger, "kyverno_admission_review_duration_seconds", requestOperation, func(op metrics.ResourceRequestOperation) error {
-		return admissionReviewDuration.ProcessEngineResponses(metricsConfig, <-(*engineResponsesReceiver), <-(*latencyReceiver), op)
-	})
-}
-
-func RegisterAdmissionReviewDurationMetricValidate(logger logr.Logger, metricsConfig *metrics.MetricsConfig, requestOperation string, engineResponses []*response.EngineResponse, admissionReviewLatencyDuration int64) {
-	registerMetric(logger, "kyverno_admission_review_duration_seconds", requestOperation, func(op metrics.ResourceRequestOperation) error {
-		return admissionReviewDuration.ProcessEngineResponses(metricsConfig, engineResponses, admissionReviewLatencyDuration, op)
-	})
-}
-
-// ADMISSION REQUEST
-
-func RegisterAdmissionRequestsMetricMutate(logger logr.Logger, metricsConfig *metrics.MetricsConfig, requestOperation string, engineResponses []*response.EngineResponse) {
-	registerMetric(logger, "kyverno_admission_requests_total", requestOperation, func(op metrics.ResourceRequestOperation) error {
-		return admissionRequests.ProcessEngineResponses(metricsConfig, engineResponses, op)
-	})
-}
-
-func RegisterAdmissionRequestsMetricGenerate(logger logr.Logger, metricsConfig *metrics.MetricsConfig, requestOperation string, engineResponsesReceiver *chan []*response.EngineResponse) {
-	defer close(*engineResponsesReceiver)
-	registerMetric(logger, "kyverno_admission_requests_total", requestOperation, func(op metrics.ResourceRequestOperation) error {
-		return admissionRequests.ProcessEngineResponses(metricsConfig, <-(*engineResponsesReceiver), op)
-	})
-}
-
-func RegisterAdmissionRequestsMetricValidate(logger logr.Logger, metricsConfig *metrics.MetricsConfig, requestOperation string, engineResponses []*response.EngineResponse) {
-	registerMetric(logger, "kyverno_admission_requests_total", requestOperation, func(op metrics.ResourceRequestOperation) error {
-		return admissionRequests.ProcessEngineResponses(metricsConfig, engineResponses, op)
-	})
-}
-
 // POLICY RESULTS

 func RegisterPolicyResultsMetricMutation(logger logr.Logger, metricsConfig *metrics.MetricsConfig, requestOperation string, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse) {