mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-15 17:51:20 +00:00
Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting
GitHub
parent
a5eed7834e
commit
d5e1633412
26 changed files with 52 additions and 91 deletions
|
|
@ -26,6 +26,7 @@ import (
|
||||||
// UpdateRequestStatus defines the observed state of UpdateRequest
|
// UpdateRequestStatus defines the observed state of UpdateRequest
|
||||||
type UpdateRequestStatus struct {
|
type UpdateRequestStatus struct {
|
||||||
// Handler represents the instance ID that handles the UR
|
// Handler represents the instance ID that handles the UR
|
||||||
|
// Deprecated
|
||||||
Handler string `json:"handler,omitempty" yaml:"handler,omitempty"`
|
Handler string `json:"handler,omitempty" yaml:"handler,omitempty"`
|
||||||
|
|
||||||
// State represents state of the update request.
|
// State represents state of the update request.
|
||||||
|
|
|
||||||
|
|
@ -29410,6 +29410,7 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
handler:
|
handler:
|
||||||
description: Handler represents the instance ID that handles the UR
|
description: Handler represents the instance ID that handles the UR
|
||||||
|
Deprecated
|
||||||
type: string
|
type: string
|
||||||
message:
|
message:
|
||||||
description: Specifies request status message.
|
description: Specifies request status message.
|
||||||
|
|
|
||||||
|
|
@ -135,24 +135,11 @@ func createNonLeaderControllers(
|
||||||
configuration,
|
configuration,
|
||||||
kubeKyvernoInformer.Core().V1().ConfigMaps(),
|
kubeKyvernoInformer.Core().V1().ConfigMaps(),
|
||||||
)
|
)
|
||||||
updateRequestController := background.NewController(
|
|
||||||
kyvernoClient,
|
|
||||||
dynamicClient,
|
|
||||||
rclient,
|
|
||||||
kyvernoInformer.Kyverno().V1().ClusterPolicies(),
|
|
||||||
kyvernoInformer.Kyverno().V1().Policies(),
|
|
||||||
kyvernoInformer.Kyverno().V1beta1().UpdateRequests(),
|
|
||||||
kubeInformer.Core().V1().Namespaces(),
|
|
||||||
kubeKyvernoInformer.Core().V1().Pods(),
|
|
||||||
eventGenerator,
|
|
||||||
configuration,
|
|
||||||
informerCacheResolvers,
|
|
||||||
)
|
|
||||||
return []internal.Controller{
|
return []internal.Controller{
|
||||||
internal.NewController(policycachecontroller.ControllerName, policyCacheController, policycachecontroller.Workers),
|
internal.NewController(policycachecontroller.ControllerName, policyCacheController, policycachecontroller.Workers),
|
||||||
internal.NewController(openapicontroller.ControllerName, openApiController, openapicontroller.Workers),
|
internal.NewController(openapicontroller.ControllerName, openApiController, openapicontroller.Workers),
|
||||||
internal.NewController(configcontroller.ControllerName, configurationController, configcontroller.Workers),
|
internal.NewController(configcontroller.ControllerName, configurationController, configcontroller.Workers),
|
||||||
internal.NewController("update-request-controller", updateRequestController, genWorkers),
|
|
||||||
},
|
},
|
||||||
func() error {
|
func() error {
|
||||||
return policyCacheController.WarmUp()
|
return policyCacheController.WarmUp()
|
||||||
|
|
@ -264,6 +251,7 @@ func createrLeaderControllers(
|
||||||
admissionReports bool,
|
admissionReports bool,
|
||||||
reportsChunkSize int,
|
reportsChunkSize int,
|
||||||
backgroundScanWorkers int,
|
backgroundScanWorkers int,
|
||||||
|
genWorkers int,
|
||||||
serverIP string,
|
serverIP string,
|
||||||
webhookTimeout int,
|
webhookTimeout int,
|
||||||
autoUpdateWebhooks bool,
|
autoUpdateWebhooks bool,
|
||||||
|
|
@ -367,12 +355,26 @@ func createrLeaderControllers(
|
||||||
enablePolicyException,
|
enablePolicyException,
|
||||||
exceptionNamespace,
|
exceptionNamespace,
|
||||||
)
|
)
|
||||||
|
backgroundController := background.NewController(
|
||||||
|
kyvernoClient,
|
||||||
|
dynamicClient,
|
||||||
|
rclient,
|
||||||
|
kyvernoInformer.Kyverno().V1().ClusterPolicies(),
|
||||||
|
kyvernoInformer.Kyverno().V1().Policies(),
|
||||||
|
kyvernoInformer.Kyverno().V1beta1().UpdateRequests(),
|
||||||
|
kubeInformer.Core().V1().Namespaces(),
|
||||||
|
eventGenerator,
|
||||||
|
configuration,
|
||||||
|
configMapResolver,
|
||||||
|
)
|
||||||
|
|
||||||
return append(
|
return append(
|
||||||
[]internal.Controller{
|
[]internal.Controller{
|
||||||
internal.NewController("policy-controller", policyCtrl, 2),
|
internal.NewController("policy-controller", policyCtrl, 2),
|
||||||
internal.NewController(certmanager.ControllerName, certManager, certmanager.Workers),
|
internal.NewController(certmanager.ControllerName, certManager, certmanager.Workers),
|
||||||
internal.NewController(webhookcontroller.ControllerName, webhookController, webhookcontroller.Workers),
|
internal.NewController(webhookcontroller.ControllerName, webhookController, webhookcontroller.Workers),
|
||||||
internal.NewController(exceptionWebhookControllerName, exceptionWebhookController, 1),
|
internal.NewController(exceptionWebhookControllerName, exceptionWebhookController, 1),
|
||||||
|
internal.NewController("background-controller", backgroundController, genWorkers),
|
||||||
},
|
},
|
||||||
reportControllers...,
|
reportControllers...,
|
||||||
),
|
),
|
||||||
|
|
@ -589,6 +591,7 @@ func main() {
|
||||||
admissionReports,
|
admissionReports,
|
||||||
reportsChunkSize,
|
reportsChunkSize,
|
||||||
backgroundScanWorkers,
|
backgroundScanWorkers,
|
||||||
|
genWorkers,
|
||||||
serverIP,
|
serverIP,
|
||||||
webhookTimeout,
|
webhookTimeout,
|
||||||
autoUpdateWebhooks,
|
autoUpdateWebhooks,
|
||||||
|
|
|
||||||
|
|
@ -370,6 +370,7 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
handler:
|
handler:
|
||||||
description: Handler represents the instance ID that handles the UR
|
description: Handler represents the instance ID that handles the UR
|
||||||
|
Deprecated
|
||||||
type: string
|
type: string
|
||||||
message:
|
message:
|
||||||
description: Specifies request status message.
|
description: Specifies request status message.
|
||||||
|
|
|
||||||
|
|
@ -29485,6 +29485,7 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
handler:
|
handler:
|
||||||
description: Handler represents the instance ID that handles the UR
|
description: Handler represents the instance ID that handles the UR
|
||||||
|
Deprecated
|
||||||
type: string
|
type: string
|
||||||
message:
|
message:
|
||||||
description: Specifies request status message.
|
description: Specifies request status message.
|
||||||
|
|
|
||||||
|
|
@ -4927,7 +4927,8 @@ string
|
||||||
</em>
|
</em>
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td>
|
||||||
<p>Handler represents the instance ID that handles the UR</p>
|
<p>Handler represents the instance ID that handles the UR
|
||||||
|
Deprecated</p>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
|
|
|
||||||
|
|
@ -31,7 +31,6 @@ import (
|
||||||
corev1informers "k8s.io/client-go/informers/core/v1"
|
corev1informers "k8s.io/client-go/informers/core/v1"
|
||||||
corev1listers "k8s.io/client-go/listers/core/v1"
|
corev1listers "k8s.io/client-go/listers/core/v1"
|
||||||
"k8s.io/client-go/tools/cache"
|
"k8s.io/client-go/tools/cache"
|
||||||
"k8s.io/client-go/util/retry"
|
|
||||||
"k8s.io/client-go/util/workqueue"
|
"k8s.io/client-go/util/workqueue"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
@ -56,7 +55,6 @@ type controller struct {
|
||||||
polLister kyvernov1listers.PolicyLister
|
polLister kyvernov1listers.PolicyLister
|
||||||
urLister kyvernov1beta1listers.UpdateRequestNamespaceLister
|
urLister kyvernov1beta1listers.UpdateRequestNamespaceLister
|
||||||
nsLister corev1listers.NamespaceLister
|
nsLister corev1listers.NamespaceLister
|
||||||
podLister corev1listers.PodLister
|
|
||||||
|
|
||||||
informersSynced []cache.InformerSynced
|
informersSynced []cache.InformerSynced
|
||||||
|
|
||||||
|
|
@ -77,7 +75,6 @@ func NewController(
|
||||||
polInformer kyvernov1informers.PolicyInformer,
|
polInformer kyvernov1informers.PolicyInformer,
|
||||||
urInformer kyvernov1beta1informers.UpdateRequestInformer,
|
urInformer kyvernov1beta1informers.UpdateRequestInformer,
|
||||||
namespaceInformer corev1informers.NamespaceInformer,
|
namespaceInformer corev1informers.NamespaceInformer,
|
||||||
podInformer corev1informers.PodInformer,
|
|
||||||
eventGen event.Interface,
|
eventGen event.Interface,
|
||||||
dynamicConfig config.Configuration,
|
dynamicConfig config.Configuration,
|
||||||
informerCacheResolvers resolvers.ConfigmapResolver,
|
informerCacheResolvers resolvers.ConfigmapResolver,
|
||||||
|
|
@ -91,8 +88,7 @@ func NewController(
|
||||||
polLister: polInformer.Lister(),
|
polLister: polInformer.Lister(),
|
||||||
urLister: urLister,
|
urLister: urLister,
|
||||||
nsLister: namespaceInformer.Lister(),
|
nsLister: namespaceInformer.Lister(),
|
||||||
podLister: podInformer.Lister(),
|
queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "background"),
|
||||||
queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "update-request"),
|
|
||||||
eventGen: eventGen,
|
eventGen: eventGen,
|
||||||
configuration: dynamicConfig,
|
configuration: dynamicConfig,
|
||||||
informerCacheResolvers: informerCacheResolvers,
|
informerCacheResolvers: informerCacheResolvers,
|
||||||
|
|
@ -111,7 +107,7 @@ func NewController(
|
||||||
DeleteFunc: c.deletePolicy,
|
DeleteFunc: c.deletePolicy,
|
||||||
})
|
})
|
||||||
|
|
||||||
c.informersSynced = []cache.InformerSynced{cpolInformer.Informer().HasSynced, polInformer.Informer().HasSynced, urInformer.Informer().HasSynced, namespaceInformer.Informer().HasSynced, podInformer.Informer().HasSynced}
|
c.informersSynced = []cache.InformerSynced{cpolInformer.Informer().HasSynced, polInformer.Informer().HasSynced, urInformer.Informer().HasSynced, namespaceInformer.Informer().HasSynced}
|
||||||
|
|
||||||
return &c
|
return &c
|
||||||
}
|
}
|
||||||
|
|
@ -194,18 +190,7 @@ func (c *controller) syncUpdateRequest(key string) error {
|
||||||
if ur.Status.State == "" {
|
if ur.Status.State == "" {
|
||||||
ur = ur.DeepCopy()
|
ur = ur.DeepCopy()
|
||||||
ur.Status.State = kyvernov1beta1.Pending
|
ur.Status.State = kyvernov1beta1.Pending
|
||||||
_, err := c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).UpdateStatus(context.TODO(), ur, metav1.UpdateOptions{})
|
if _, err := c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).UpdateStatus(context.TODO(), ur, metav1.UpdateOptions{}); err != nil {
|
||||||
return err
|
|
||||||
}
|
|
||||||
// if it was acquired by a pod that is gone, release it
|
|
||||||
if ur.Status.Handler != "" {
|
|
||||||
_, err = c.podLister.Pods(config.KyvernoNamespace()).Get(ur.Status.Handler)
|
|
||||||
if err != nil {
|
|
||||||
if apierrors.IsNotFound(err) {
|
|
||||||
ur = ur.DeepCopy()
|
|
||||||
ur.Status.Handler = ""
|
|
||||||
_, err = c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).UpdateStatus(context.TODO(), ur, metav1.UpdateOptions{})
|
|
||||||
}
|
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -228,28 +213,13 @@ func (c *controller) syncUpdateRequest(key string) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// if in pending state, try to acquire ur and eventually process it
|
// process pending URs
|
||||||
if ur.Status.State == kyvernov1beta1.Pending {
|
if ur.Status.State == kyvernov1beta1.Pending {
|
||||||
ur, ok, err := c.acquireUR(ur)
|
|
||||||
if err != nil {
|
|
||||||
if apierrors.IsNotFound(err) {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
return fmt.Errorf("failed to mark handler for UR %s: %v", key, err)
|
|
||||||
}
|
|
||||||
if !ok {
|
|
||||||
logger.V(3).Info("another instance is handling the UR", "handler", ur.Status.Handler)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
logger.V(3).Info("UR is marked successfully", "ur", ur.GetName(), "resourceVersion", ur.GetResourceVersion())
|
|
||||||
if err := c.processUR(ur); err != nil {
|
if err := c.processUR(ur); err != nil {
|
||||||
return fmt.Errorf("failed to process UR %s: %v", key, err)
|
return fmt.Errorf("failed to process UR %s: %v", key, err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
ur, err = c.releaseUR(ur)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("failed to unmark UR %s: %v", key, err)
|
|
||||||
}
|
|
||||||
err = c.cleanUR(ur)
|
err = c.cleanUR(ur)
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
@ -429,47 +399,6 @@ func (c *controller) processUR(ur *kyvernov1beta1.UpdateRequest) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *controller) acquireUR(ur *kyvernov1beta1.UpdateRequest) (*kyvernov1beta1.UpdateRequest, bool, error) {
|
|
||||||
name := ur.GetName()
|
|
||||||
err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
|
|
||||||
var err error
|
|
||||||
ur, err = c.urLister.Get(name)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if ur.Status.Handler != "" {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
ur = ur.DeepCopy()
|
|
||||||
ur.Status.Handler = config.KyvernoPodName()
|
|
||||||
ur, err = c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).UpdateStatus(context.TODO(), ur, metav1.UpdateOptions{})
|
|
||||||
return err
|
|
||||||
})
|
|
||||||
if err != nil {
|
|
||||||
logger.Error(err, "failed to acquire ur", "name", name, "ur", ur)
|
|
||||||
return nil, false, err
|
|
||||||
}
|
|
||||||
return ur, ur.Status.Handler == config.KyvernoPodName(), err
|
|
||||||
}
|
|
||||||
|
|
||||||
func (c *controller) releaseUR(ur *kyvernov1beta1.UpdateRequest) (*kyvernov1beta1.UpdateRequest, error) {
|
|
||||||
err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
|
|
||||||
var err error
|
|
||||||
ur, err = c.urLister.Get(ur.GetName())
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if ur.Status.Handler != config.KyvernoPodName() {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
ur = ur.DeepCopy()
|
|
||||||
ur.Status.Handler = ""
|
|
||||||
ur, err = c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).UpdateStatus(context.TODO(), ur, metav1.UpdateOptions{})
|
|
||||||
return err
|
|
||||||
})
|
|
||||||
return ur, err
|
|
||||||
}
|
|
||||||
|
|
||||||
func (c *controller) cleanUR(ur *kyvernov1beta1.UpdateRequest) error {
|
func (c *controller) cleanUR(ur *kyvernov1beta1.UpdateRequest) error {
|
||||||
if ur.Spec.Type == kyvernov1beta1.Mutate && ur.Status.State == kyvernov1beta1.Completed {
|
if ur.Spec.Type == kyvernov1beta1.Mutate && ur.Status.State == kyvernov1beta1.Completed {
|
||||||
return c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).Delete(context.TODO(), ur.GetName(), metav1.DeleteOptions{})
|
return c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).Delete(context.TODO(), ur.GetName(), metav1.DeleteOptions{})
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,5 @@
|
||||||
|
# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
|
||||||
|
apiVersion: kuttl.dev/v1beta1
|
||||||
|
kind: TestStep
|
||||||
|
commands:
|
||||||
|
- command: sleep 3
|
||||||
|
|
@ -0,0 +1,4 @@
|
||||||
|
apiVersion: kuttl.dev/v1beta1
|
||||||
|
kind: TestStep
|
||||||
|
commands:
|
||||||
|
- command: sleep 3
|
||||||
|
|
@ -0,0 +1,5 @@
|
||||||
|
# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
|
||||||
|
apiVersion: kuttl.dev/v1beta1
|
||||||
|
kind: TestStep
|
||||||
|
commands:
|
||||||
|
- command: sleep 3
|
||||||
|
|
@ -0,0 +1,5 @@
|
||||||
|
# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
|
||||||
|
apiVersion: kuttl.dev/v1beta1
|
||||||
|
kind: TestStep
|
||||||
|
commands:
|
||||||
|
- command: sleep 3
|
||||||
|
|
@ -0,0 +1,5 @@
|
||||||
|
# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
|
||||||
|
apiVersion: kuttl.dev/v1beta1
|
||||||
|
kind: TestStep
|
||||||
|
commands:
|
||||||
|
- command: sleep 3
|
||||||
Loading…
Reference in a new issue