mirror of
https://github.com/kyverno/kyverno.git
synced 2025-04-08 18:15:48 +00:00
Optimize UR listing on policy events (#3712)
* Optimize UR listing on policy events Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix new UR creation for multiple policies Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting
GitHub
parent
eb0b8d352c
commit
d3eec03a79
8 changed files with 53 additions and 22 deletions
8
api/kyverno/v1beta1/constants.go
Normal file
8
api/kyverno/v1beta1/constants.go
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
package v1beta1
|
||||
|
||||
const (
|
||||
// URMutatePolicyLabel adds the policy name to URs for mutate policies
|
||||
URMutatePolicyLabel = "mutate.updaterequest.kyverno.io/policy-name"
|
||||
// URGeneratePolicyLabel adds the policy name to URs for generate policies
|
||||
URGeneratePolicyLabel = "generate.kyverno.io/policy-name"
|
||||
)
|
||||
|
|
@ -146,12 +146,12 @@ func (c *Controller) deletePolicy(obj interface{}) {
|
|||
|
||||
// get the generated resource name from generate request for log
|
||||
selector := labels.SelectorFromSet(labels.Set(map[string]string{
|
||||
"generate.kyverno.io/policy-name": p.Name,
|
||||
urkyverno.URGeneratePolicyLabel: p.Name,
|
||||
}))
|
||||
|
||||
grList, err := c.urLister.List(selector)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to get generate request for the resource", "label", "generate.kyverno.io/policy-name")
|
||||
logger.Error(err, "failed to get generate request for the resource", "label", urkyverno.URGeneratePolicyLabel)
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -232,7 +232,7 @@ func (c *GenerateController) applyGenerate(resource unstructured.Unstructured, g
|
|||
if r.Status != response.RuleStatusPass {
|
||||
logger.V(4).Info("querying all generate requests")
|
||||
selector := labels.SelectorFromSet(labels.Set(map[string]string{
|
||||
"generate.kyverno.io/policy-name": engineResponse.PolicyResponse.Policy.Name,
|
||||
urkyverno.URGeneratePolicyLabel: engineResponse.PolicyResponse.Policy.Name,
|
||||
"generate.kyverno.io/resource-name": engineResponse.PolicyResponse.Resource.Name,
|
||||
"generate.kyverno.io/resource-kind": engineResponse.PolicyResponse.Resource.Kind,
|
||||
"generate.kyverno.io/resource-namespace": engineResponse.PolicyResponse.Resource.Namespace,
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@ import (
|
|||
"strings"
|
||||
"time"
|
||||
|
||||
urkyverno "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
||||
"github.com/kyverno/kyverno/pkg/autogen"
|
||||
kyvernoclient "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
|
||||
kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
|
||||
|
|
@ -32,7 +33,7 @@ func AddLabels(client *kyvernoclient.Clientset, grInformer kyvernoinformer.Gener
|
|||
if len(grLabels) == 0 {
|
||||
grLabels = make(map[string]string)
|
||||
}
|
||||
grLabels["generate.kyverno.io/policy-name"] = gr.Spec.Policy
|
||||
grLabels[urkyverno.URGeneratePolicyLabel] = gr.Spec.Policy
|
||||
grLabels["generate.kyverno.io/resource-name"] = gr.Spec.Resource.Name
|
||||
grLabels["generate.kyverno.io/resource-kind"] = gr.Spec.Resource.Kind
|
||||
grLabels["generate.kyverno.io/resource-namespace"] = gr.Spec.Resource.Namespace
|
||||
|
|
@ -67,7 +68,7 @@ func addLabelForGR(name string, namespace string, client *kyvernoclient.Clientse
|
|||
if len(grLabels) == 0 {
|
||||
grLabels = make(map[string]string)
|
||||
}
|
||||
grLabels["generate.kyverno.io/policy-name"] = gr.Spec.Policy
|
||||
grLabels[urkyverno.URGeneratePolicyLabel] = gr.Spec.Policy
|
||||
grLabels["generate.kyverno.io/resource-name"] = gr.Spec.Resource.Name
|
||||
grLabels["generate.kyverno.io/resource-kind"] = gr.Spec.Resource.Kind
|
||||
grLabels["generate.kyverno.io/resource-namespace"] = gr.Spec.Resource.Namespace
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ import (
|
|||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/gardener/controller-manager-library/pkg/logger"
|
||||
"github.com/go-logr/logr"
|
||||
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
urkyverno "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
||||
|
|
@ -505,26 +506,47 @@ func (pc *PolicyController) syncPolicy(key string) error {
|
|||
logger.V(4).Info("finished syncing policy", "key", key, "processingTime", time.Since(startTime).String())
|
||||
}()
|
||||
|
||||
urList, err := pc.urLister.List(labels.Everything())
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to list update request")
|
||||
}
|
||||
mutateURs, generateURs := pc.listURs(key)
|
||||
|
||||
policy, err := pc.getPolicy(key)
|
||||
if err != nil {
|
||||
if errors.IsNotFound(err) {
|
||||
deleteGR(pc.kyvernoClient, key, urList, logger)
|
||||
deleteGR(pc.kyvernoClient, key, append(mutateURs, generateURs...), logger)
|
||||
return nil
|
||||
}
|
||||
|
||||
return err
|
||||
}
|
||||
|
||||
pc.updateUR(policy, urList)
|
||||
pc.updateUR(policy, mutateURs, generateURs)
|
||||
pc.processExistingResources(policy)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (pc *PolicyController) listURs(key string) ([]*urkyverno.UpdateRequest, []*urkyverno.UpdateRequest) {
|
||||
_, pName, _ := ParseNamespacedPolicy(key)
|
||||
|
||||
selector := labels.SelectorFromSet(labels.Set(map[string]string{
|
||||
urkyverno.URMutatePolicyLabel: pName,
|
||||
}))
|
||||
|
||||
mutateURs, err := pc.urLister.List(selector)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to list update request")
|
||||
}
|
||||
|
||||
selector = labels.SelectorFromSet(labels.Set(map[string]string{
|
||||
urkyverno.URGeneratePolicyLabel: pName,
|
||||
}))
|
||||
|
||||
generateURs, err := pc.urLister.List(selector)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to list update request")
|
||||
}
|
||||
|
||||
return mutateURs, generateURs
|
||||
}
|
||||
|
||||
func (pc *PolicyController) getPolicy(key string) (policy kyverno.PolicyInterface, err error) {
|
||||
namespace, key, isNamespacedPolicy := ParseNamespacedPolicy(key)
|
||||
if !isNamespacedPolicy {
|
||||
|
|
@ -539,8 +561,8 @@ func (pc *PolicyController) getPolicy(key string) (policy kyverno.PolicyInterfac
|
|||
return
|
||||
}
|
||||
|
||||
func (pc *PolicyController) updateUR(policy kyverno.PolicyInterface, urList []*urkyverno.UpdateRequest) {
|
||||
if urList == nil {
|
||||
func (pc *PolicyController) updateUR(policy kyverno.PolicyInterface, mutateURs, generateURs []*urkyverno.UpdateRequest) {
|
||||
if mutateURs == nil {
|
||||
for _, rule := range policy.GetSpec().Rules {
|
||||
if !rule.IsMutateExisting() {
|
||||
continue
|
||||
|
|
@ -568,7 +590,7 @@ func (pc *PolicyController) updateUR(policy kyverno.PolicyInterface, urList []*u
|
|||
return
|
||||
}
|
||||
|
||||
updateUR(pc.kyvernoClient, policy.GetName(), urList, pc.log.WithName("updateUR"))
|
||||
updateUR(pc.kyvernoClient, policy.GetName(), append(mutateURs, generateURs...), pc.log.WithName("updateUR"))
|
||||
|
||||
}
|
||||
|
||||
|
|
@ -724,7 +746,7 @@ func newUR(policy kyverno.PolicyInterface, target *kyverno.ResourceSpec) *urkyve
|
|||
}
|
||||
|
||||
label := map[string]string{
|
||||
"mutate.updaterequest.kyverno.io/policy-name": policyNameNamespaceKey,
|
||||
urkyverno.URMutatePolicyLabel: policyNameNamespaceKey,
|
||||
"mutate.updaterequest.kyverno.io/trigger-name": target.Name,
|
||||
"mutate.updaterequest.kyverno.io/trigger-namespace": target.Namespace,
|
||||
"mutate.updaterequest.kyverno.io/trigger-kind": target.Kind,
|
||||
|
|
|
|||
|
|
@ -116,7 +116,7 @@ func retryApplyResource(client *kyvernoclient.Clientset, grSpec urkyverno.Update
|
|||
if action == admissionv1.Create || action == admissionv1.Update {
|
||||
log.V(4).Info("querying all generate requests")
|
||||
selector := labels.SelectorFromSet(labels.Set(map[string]string{
|
||||
"generate.kyverno.io/policy-name": policyName,
|
||||
urkyverno.URGeneratePolicyLabel: policyName,
|
||||
"generate.kyverno.io/resource-name": grSpec.Resource.Name,
|
||||
"generate.kyverno.io/resource-kind": grSpec.Resource.Kind,
|
||||
"generate.kyverno.io/resource-namespace": grSpec.Resource.Namespace,
|
||||
|
|
@ -155,7 +155,7 @@ func retryApplyResource(client *kyvernoclient.Clientset, grSpec urkyverno.Update
|
|||
if !isExist {
|
||||
gr.SetGenerateName("gr-")
|
||||
gr.SetLabels(map[string]string{
|
||||
"generate.kyverno.io/policy-name": policyName,
|
||||
urkyverno.URGeneratePolicyLabel: policyName,
|
||||
"generate.kyverno.io/resource-name": grSpec.Resource.Name,
|
||||
"generate.kyverno.io/resource-kind": grSpec.Resource.Kind,
|
||||
"generate.kyverno.io/resource-namespace": grSpec.Resource.Namespace,
|
||||
|
|
|
|||
|
|
@ -132,12 +132,12 @@ func (ws *WebhookServer) handleUpdateGenerateSourceResource(resLabels map[string
|
|||
}
|
||||
} else {
|
||||
selector := labels.SelectorFromSet(labels.Set(map[string]string{
|
||||
"generate.kyverno.io/policy-name": policyName,
|
||||
urkyverno.URGeneratePolicyLabel: policyName,
|
||||
}))
|
||||
|
||||
grList, err := ws.urLister.List(selector)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to get generate request for the resource", "label", "generate.kyverno.io/policy-name")
|
||||
logger.Error(err, "failed to get generate request for the resource", "label", urkyverno.URGeneratePolicyLabel)
|
||||
return
|
||||
}
|
||||
|
||||
|
|
@ -363,7 +363,7 @@ func (ws *WebhookServer) handleDelete(request *admissionv1.AdmissionRequest) {
|
|||
func (ws *WebhookServer) deleteGR(logger logr.Logger, engineResponse *response.EngineResponse) {
|
||||
logger.V(4).Info("querying all generate requests")
|
||||
selector := labels.SelectorFromSet(labels.Set(map[string]string{
|
||||
"generate.kyverno.io/policy-name": engineResponse.PolicyResponse.Policy.Name,
|
||||
urkyverno.URGeneratePolicyLabel: engineResponse.PolicyResponse.Policy.Name,
|
||||
"generate.kyverno.io/resource-name": engineResponse.PolicyResponse.Resource.Name,
|
||||
"generate.kyverno.io/resource-kind": engineResponse.PolicyResponse.Resource.Kind,
|
||||
"generate.kyverno.io/resource-namespace": engineResponse.PolicyResponse.Resource.Namespace,
|
||||
|
|
|
|||
|
|
@ -129,7 +129,7 @@ func retryApplyResource(client *kyvernoclient.Clientset, urSpec urkyverno.Update
|
|||
queryLabels := make(map[string]string)
|
||||
if ur.Spec.Type == urkyverno.Mutate {
|
||||
queryLabels := map[string]string{
|
||||
"mutate.updaterequest.kyverno.io/policy-name": ur.Spec.Policy,
|
||||
urkyverno.URMutatePolicyLabel: ur.Spec.Policy,
|
||||
"mutate.updaterequest.kyverno.io/trigger-name": ur.Spec.Resource.Name,
|
||||
"mutate.updaterequest.kyverno.io/trigger-namespace": ur.Spec.Resource.Namespace,
|
||||
"mutate.updaterequest.kyverno.io/trigger-kind": ur.Spec.Resource.Kind,
|
||||
|
|
@ -140,7 +140,7 @@ func retryApplyResource(client *kyvernoclient.Clientset, urSpec urkyverno.Update
|
|||
}
|
||||
} else if ur.Spec.Type == urkyverno.Generate {
|
||||
queryLabels = labels.Set(map[string]string{
|
||||
"generate.kyverno.io/policy-name": policyName,
|
||||
urkyverno.URGeneratePolicyLabel: policyName,
|
||||
"generate.kyverno.io/resource-name": urSpec.Resource.Name,
|
||||
"generate.kyverno.io/resource-kind": urSpec.Resource.Kind,
|
||||
"generate.kyverno.io/resource-namespace": urSpec.Resource.Namespace,
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue