mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 10:28:36 +00:00
Code Activity

refactor: used typed admission request in ur (#4022)

Browse source 
* refactor: add policy event listener in ur controller (#4012)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
(cherry picked from commit cd1fa030ee)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: used typed admission request in ur

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: used typed admission request in ur

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* Handle the error properly

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2022-05-29 09:27:14 +02:00 committed by GitHub
parent 7245c92dcf
commit dae3dad027
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
18 changed files with 726 additions and 220 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
Makefile
View file

@ -376,7 +376,8 @@ install-controller-gen: ## Install controller-gen
CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
cd $$CONTROLLER_GEN_TMP_DIR ;\
go mod init tmp ;\
go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_REQ_VERSION) ;\
go mod edit -replace=sigs.k8s.io/controller-tools@$(CONTROLLER_GEN_REQ_VERSION)=github.com/eddycharly/controller-tools@704af868d45a3a78448b9a6a2279c12ea96a621e ;\
go get sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_REQ_VERSION) ;\
rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
}
CONTROLLER_GEN=$(GOPATH)/bin/controller-gen

2
api/kyverno/v1beta1/updaterequest_types.go
View file

@ -117,7 +117,7 @@ type RequestInfo struct {
// AdmissionRequestInfoObject stores the admission request and operation details
type AdmissionRequestInfoObject struct {
// +optional
AdmissionRequest string `json:"admissionRequest,omitempty" yaml:"admissionRequest,omitempty"`
AdmissionRequest *admissionv1.AdmissionRequest `json:"admissionRequest,omitempty" yaml:"admissionRequest,omitempty"`
// +optional
Operation admissionv1.Operation `json:"operation,omitempty" yaml:"operation,omitempty"`
}

8
api/kyverno/v1beta1/zz_generated.deepcopy.go
View file

@ -21,12 +21,18 @@ package v1beta1
import (
"github.com/kyverno/kyverno/api/kyverno/v1"
admissionv1 "k8s.io/api/admission/v1"
"k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AdmissionRequestInfoObject) DeepCopyInto(out *AdmissionRequestInfoObject) {
*out = *in
if in.AdmissionRequest != nil {
in, out := &in.AdmissionRequest, &out.AdmissionRequest
*out = new(admissionv1.AdmissionRequest)
(*in).DeepCopyInto(*out)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionRequestInfoObject.
@ -145,7 +151,7 @@ func (in *UpdateRequestSpec) DeepCopy() *UpdateRequestSpec {
func (in *UpdateRequestSpecContext) DeepCopyInto(out *UpdateRequestSpecContext) {
*out = *in
in.UserRequestInfo.DeepCopyInto(&out.UserRequestInfo)
out.AdmissionRequestInfo = in.AdmissionRequestInfo
in.AdmissionRequestInfo.DeepCopyInto(&out.AdmissionRequestInfo)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdateRequestSpecContext.

170
charts/kyverno/templates/crds.yaml
View file

@ -1611,12 +1611,6 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -1883,12 +1877,6 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -2155,12 +2143,6 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -2336,12 +2318,6 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -3955,12 +3931,6 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -4227,12 +4197,6 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -4499,12 +4463,6 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -4577,7 +4535,127 @@ spec:
description: AdmissionRequestInfoObject stores the admission request and operation details
properties:
admissionRequest:
type: string
description: AdmissionRequest describes the admission.Attributes for the admission request.
properties:
dryRun:
description: DryRun indicates that modifications will definitely not be persisted for this request. Defaults to false.
type: boolean
kind:
description: Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
properties:
group:
type: string
kind:
type: string
version:
type: string
required:
- group
- kind
- version
type: object
name:
description: Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and rely on the server to generate the name. If that is the case, this field will contain an empty string.
type: string
namespace:
description: Namespace is the namespace associated with the request (if any).
type: string
object:
description: Object is the object from the incoming request.
type: object
x-kubernetes-preserve-unknown-fields: true
oldObject:
description: OldObject is the existing object. Only populated for DELETE and UPDATE requests.
type: object
x-kubernetes-preserve-unknown-fields: true
operation:
description: Operation is the operation being performed. This may be different than the operation requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
type: string
options:
description: Options is the operation option structure of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be different than the options the caller provided. e.g. for a patch request the performed Operation might be a CREATE, in which case the Options will a `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
type: object
x-kubernetes-preserve-unknown-fields: true
requestKind:
description: "RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). If this is specified and differs from the value in \"kind\", an equivalent match and conversion was performed. \n For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` (matching the rule the webhook registered for), and `requestKind: {group:\"apps\", version:\"v1beta1\", kind:\"Deployment\"}` (indicating the kind of the original API request). \n See documentation for the \"matchPolicy\" field in the webhook configuration type for more details."
properties:
group:
type: string
kind:
type: string
version:
type: string
required:
- group
- kind
- version
type: object
requestResource:
description: "RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). If this is specified and differs from the value in \"resource\", an equivalent match and conversion was performed. \n For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `resource: {group:\"apps\", version:\"v1\", resource:\"deployments\"}` (matching the resource the webhook registered for), and `requestResource: {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` (indicating the resource of the original API request). \n See documentation for the \"matchPolicy\" field in the webhook configuration type."
properties:
group:
type: string
resource:
type: string
version:
type: string
required:
- group
- resource
- version
type: object
requestSubResource:
description: RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. See documentation for the "matchPolicy" field in the webhook configuration type.
type: string
resource:
description: Resource is the fully-qualified resource being requested (for example, v1.pods)
properties:
group:
type: string
resource:
type: string
version:
type: string
required:
- group
- resource
- version
type: object
subResource:
description: SubResource is the subresource being requested, if any (for example, "status" or "scale")
type: string
uid:
description: UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are otherwise identical (parallel requests, requests when earlier requests did not modify etc) The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
type: string
userInfo:
description: UserInfo is information about the requesting user
properties:
extra:
additionalProperties:
description: ExtraValue masks the value so protobuf can generate
items:
type: string
type: array
description: Any additional information provided by the authenticator.
type: object
groups:
description: The names of groups this user is a part of.
items:
type: string
type: array
uid:
description: A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.
type: string
username:
description: The name that uniquely identifies this user among all active users.
type: string
type: object
required:
- kind
- operation
- resource
- uid
- userInfo
type: object
operation:
description: Operation is the type of resource operation being checked for admission control
type: string
@ -4690,10 +4768,4 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
{{- end }}

14
cmd/initContainer/main.go
View file

@ -5,6 +5,7 @@ package main
import (
"context"
"encoding/json"
"flag"
"os"
"sync"
@ -20,6 +21,7 @@ import (
"github.com/kyverno/kyverno/pkg/signal"
"github.com/kyverno/kyverno/pkg/tls"
"github.com/kyverno/kyverno/pkg/utils"
admissionv1 "k8s.io/api/admission/v1"
coordinationv1 "k8s.io/api/coordination/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -445,6 +447,16 @@ func convertGR(pclient kyvernoclient.Interface) error {
}
for _, gr := range grs.Items {
cp := gr.DeepCopy()
var request *admissionv1.AdmissionRequest
if cp.Spec.Context.AdmissionRequestInfo.AdmissionRequest != "" {
var r admissionv1.AdmissionRequest
err := json.Unmarshal([]byte(cp.Spec.Context.AdmissionRequestInfo.AdmissionRequest), &r)
if err != nil {
logger.Error(err, "failed to unmarshal admission request")
errors = append(errors, err)
continue
}
}
ur := &kyvernov1beta1.UpdateRequest{
ObjectMeta: metav1.ObjectMeta{
GenerateName: "ur-",
@ -462,7 +474,7 @@ func convertGR(pclient kyvernoclient.Interface) error {
AdmissionUserInfo: cp.Spec.Context.UserRequestInfo.AdmissionUserInfo,
},
AdmissionRequestInfo: kyvernov1beta1.AdmissionRequestInfoObject{
AdmissionRequest: cp.Spec.Context.AdmissionRequestInfo.AdmissionRequest,
AdmissionRequest: request,
Operation: cp.Spec.Context.AdmissionRequestInfo.Operation,
},
},

6
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -2561,9 +2561,3 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

6
config/crds/kyverno.io_clusterreportchangerequests.yaml
View file

@ -354,9 +354,3 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

6
config/crds/kyverno.io_generaterequests.yaml
View file

@ -182,9 +182,3 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

6
config/crds/kyverno.io_policies.yaml
View file

@ -2563,9 +2563,3 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

6
config/crds/kyverno.io_reportchangerequests.yaml
View file

@ -354,9 +354,3 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

198
config/crds/kyverno.io_updaterequests.yaml
View file

@ -68,7 +68,197 @@ spec:
and operation details
properties:
admissionRequest:
type: string
description: AdmissionRequest describes the admission.Attributes
for the admission request.
properties:
dryRun:
description: DryRun indicates that modifications will
definitely not be persisted for this request. Defaults
to false.
type: boolean
kind:
description: Kind is the fully-qualified type of object
being submitted (for example, v1.Pod or autoscaling.v1.Scale)
properties:
group:
type: string
kind:
type: string
version:
type: string
required:
- group
- kind
- version
type: object
name:
description: Name is the name of the object as presented
in the request. On a CREATE operation, the client may
omit name and rely on the server to generate the name. If
that is the case, this field will contain an empty string.
type: string
namespace:
description: Namespace is the namespace associated with
the request (if any).
type: string
object:
description: Object is the object from the incoming request.
type: object
x-kubernetes-preserve-unknown-fields: true
oldObject:
description: OldObject is the existing object. Only populated
for DELETE and UPDATE requests.
type: object
x-kubernetes-preserve-unknown-fields: true
operation:
description: Operation is the operation being performed.
This may be different than the operation requested.
e.g. a patch can result in either a CREATE or UPDATE
Operation.
type: string
options:
description: Options is the operation option structure
of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions`
or `meta.k8s.io/v1.CreateOptions`. This may be different
than the options the caller provided. e.g. for a patch
request the performed Operation might be a CREATE, in
which case the Options will a `meta.k8s.io/v1.CreateOptions`
even though the caller provided `meta.k8s.io/v1.PatchOptions`.
type: object
x-kubernetes-preserve-unknown-fields: true
requestKind:
description: "RequestKind is the fully-qualified type
of the original API request (for example, v1.Pod or
autoscaling.v1.Scale). If this is specified and differs
from the value in \"kind\", an equivalent match and
conversion was performed. \n For example, if deployments
can be modified via apps/v1 and apps/v1beta1, and a
webhook registered a rule of `apiGroups:[\"apps\"],
apiVersions:[\"v1\"], resources: [\"deployments\"]`
and `matchPolicy: Equivalent`, an API request to apps/v1beta1
deployments would be converted and sent to the webhook
with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}`
(matching the rule the webhook registered for), and
`requestKind: {group:\"apps\", version:\"v1beta1\",
kind:\"Deployment\"}` (indicating the kind of the original
API request). \n See documentation for the \"matchPolicy\"
field in the webhook configuration type for more details."
properties:
group:
type: string
kind:
type: string
version:
type: string
required:
- group
- kind
- version
type: object
requestResource:
description: "RequestResource is the fully-qualified resource
of the original API request (for example, v1.pods).
If this is specified and differs from the value in \"resource\",
an equivalent match and conversion was performed. \n
For example, if deployments can be modified via apps/v1
and apps/v1beta1, and a webhook registered a rule of
`apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources:
[\"deployments\"]` and `matchPolicy: Equivalent`, an
API request to apps/v1beta1 deployments would be converted
and sent to the webhook with `resource: {group:\"apps\",
version:\"v1\", resource:\"deployments\"}` (matching
the resource the webhook registered for), and `requestResource:
{group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}`
(indicating the resource of the original API request).
\n See documentation for the \"matchPolicy\" field in
the webhook configuration type."
properties:
group:
type: string
resource:
type: string
version:
type: string
required:
- group
- resource
- version
type: object
requestSubResource:
description: RequestSubResource is the name of the subresource
of the original API request, if any (for example, "status"
or "scale") If this is specified and differs from the
value in "subResource", an equivalent match and conversion
was performed. See documentation for the "matchPolicy"
field in the webhook configuration type.
type: string
resource:
description: Resource is the fully-qualified resource
being requested (for example, v1.pods)
properties:
group:
type: string
resource:
type: string
version:
type: string
required:
- group
- resource
- version
type: object
subResource:
description: SubResource is the subresource being requested,
if any (for example, "status" or "scale")
type: string
uid:
description: UID is an identifier for the individual request/response.
It allows us to distinguish instances of requests which
are otherwise identical (parallel requests, requests
when earlier requests did not modify etc) The UID is
meant to track the round trip (request/response) between
the KAS and the WebHook, not the user request. It is
suitable for correlating log entries between the webhook
and apiserver, for either auditing or debugging.
type: string
userInfo:
description: UserInfo is information about the requesting
user
properties:
extra:
additionalProperties:
description: ExtraValue masks the value so protobuf
can generate
items:
type: string
type: array
description: Any additional information provided by
the authenticator.
type: object
groups:
description: The names of groups this user is a part
of.
items:
type: string
type: array
uid:
description: A unique value that identifies this user
across time. If this user is deleted and another
user by the same name is added, they will have different
UIDs.
type: string
username:
description: The name that uniquely identifies this
user among all active users.
type: string
type: object
required:
- kind
- operation
- resource
- uid
- userInfo
type: object
operation:
description: Operation is the type of resource operation being
checked for admission control
@ -193,9 +383,3 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

6
config/crds/wgpolicyk8s.io_clusterpolicyreports.yaml
View file

@ -354,9 +354,3 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

6
config/crds/wgpolicyk8s.io_policyreports.yaml
View file

@ -353,9 +353,3 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

240
config/install.yaml
View file

@ -2578,12 +2578,6 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -2946,12 +2940,6 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -3314,12 +3302,6 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -3510,12 +3492,6 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -6087,12 +6063,6 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -6454,12 +6424,6 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -6822,12 +6786,6 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -6904,7 +6862,197 @@ spec:
and operation details
properties:
admissionRequest:
type: string
description: AdmissionRequest describes the admission.Attributes
for the admission request.
properties:
dryRun:
description: DryRun indicates that modifications will
definitely not be persisted for this request. Defaults
to false.
type: boolean
kind:
description: Kind is the fully-qualified type of object
being submitted (for example, v1.Pod or autoscaling.v1.Scale)
properties:
group:
type: string
kind:
type: string
version:
type: string
required:
- group
- kind
- version
type: object
name:
description: Name is the name of the object as presented
in the request. On a CREATE operation, the client may
omit name and rely on the server to generate the name. If
that is the case, this field will contain an empty string.
type: string
namespace:
description: Namespace is the namespace associated with
the request (if any).
type: string
object:
description: Object is the object from the incoming request.
type: object
x-kubernetes-preserve-unknown-fields: true
oldObject:
description: OldObject is the existing object. Only populated
for DELETE and UPDATE requests.
type: object
x-kubernetes-preserve-unknown-fields: true
operation:
description: Operation is the operation being performed.
This may be different than the operation requested.
e.g. a patch can result in either a CREATE or UPDATE
Operation.
type: string
options:
description: Options is the operation option structure
of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions`
or `meta.k8s.io/v1.CreateOptions`. This may be different
than the options the caller provided. e.g. for a patch
request the performed Operation might be a CREATE, in
which case the Options will a `meta.k8s.io/v1.CreateOptions`
even though the caller provided `meta.k8s.io/v1.PatchOptions`.
type: object
x-kubernetes-preserve-unknown-fields: true
requestKind:
description: "RequestKind is the fully-qualified type
of the original API request (for example, v1.Pod or
autoscaling.v1.Scale). If this is specified and differs
from the value in \"kind\", an equivalent match and
conversion was performed. \n For example, if deployments
can be modified via apps/v1 and apps/v1beta1, and a
webhook registered a rule of `apiGroups:[\"apps\"],
apiVersions:[\"v1\"], resources: [\"deployments\"]`
and `matchPolicy: Equivalent`, an API request to apps/v1beta1
deployments would be converted and sent to the webhook
with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}`
(matching the rule the webhook registered for), and
`requestKind: {group:\"apps\", version:\"v1beta1\",
kind:\"Deployment\"}` (indicating the kind of the original
API request). \n See documentation for the \"matchPolicy\"
field in the webhook configuration type for more details."
properties:
group:
type: string
kind:
type: string
version:
type: string
required:
- group
- kind
- version
type: object
requestResource:
description: "RequestResource is the fully-qualified resource
of the original API request (for example, v1.pods).
If this is specified and differs from the value in \"resource\",
an equivalent match and conversion was performed. \n
For example, if deployments can be modified via apps/v1
and apps/v1beta1, and a webhook registered a rule of
`apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources:
[\"deployments\"]` and `matchPolicy: Equivalent`, an
API request to apps/v1beta1 deployments would be converted
and sent to the webhook with `resource: {group:\"apps\",
version:\"v1\", resource:\"deployments\"}` (matching
the resource the webhook registered for), and `requestResource:
{group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}`
(indicating the resource of the original API request).
\n See documentation for the \"matchPolicy\" field in
the webhook configuration type."
properties:
group:
type: string
resource:
type: string
version:
type: string
required:
- group
- resource
- version
type: object
requestSubResource:
description: RequestSubResource is the name of the subresource
of the original API request, if any (for example, "status"
or "scale") If this is specified and differs from the
value in "subResource", an equivalent match and conversion
was performed. See documentation for the "matchPolicy"
field in the webhook configuration type.
type: string
resource:
description: Resource is the fully-qualified resource
being requested (for example, v1.pods)
properties:
group:
type: string
resource:
type: string
version:
type: string
required:
- group
- resource
- version
type: object
subResource:
description: SubResource is the subresource being requested,
if any (for example, "status" or "scale")
type: string
uid:
description: UID is an identifier for the individual request/response.
It allows us to distinguish instances of requests which
are otherwise identical (parallel requests, requests
when earlier requests did not modify etc) The UID is
meant to track the round trip (request/response) between
the KAS and the WebHook, not the user request. It is
suitable for correlating log entries between the webhook
and apiserver, for either auditing or debugging.
type: string
userInfo:
description: UserInfo is information about the requesting
user
properties:
extra:
additionalProperties:
description: ExtraValue masks the value so protobuf
can generate
items:
type: string
type: array
description: Any additional information provided by
the authenticator.
type: object
groups:
description: The names of groups this user is a part
of.
items:
type: string
type: array
uid:
description: A unique value that identifies this user
across time. If this user is deleted and another
user by the same name is added, they will have different
UIDs.
type: string
username:
description: The name that uniquely identifies this
user among all active users.
type: string
type: object
required:
- kind
- operation
- resource
- uid
- userInfo
type: object
operation:
description: Operation is the type of resource operation being
checked for admission control
@ -7029,12 +7177,6 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: v1
kind: ServiceAccount

240
config/install_debug.yaml
View file

@ -2576,12 +2576,6 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -2943,12 +2937,6 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -3310,12 +3298,6 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -3505,12 +3487,6 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -6081,12 +6057,6 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -6447,12 +6417,6 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -6814,12 +6778,6 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -6895,7 +6853,197 @@ spec:
and operation details
properties:
admissionRequest:
type: string
description: AdmissionRequest describes the admission.Attributes
for the admission request.
properties:
dryRun:
description: DryRun indicates that modifications will
definitely not be persisted for this request. Defaults
to false.
type: boolean
kind:
description: Kind is the fully-qualified type of object
being submitted (for example, v1.Pod or autoscaling.v1.Scale)
properties:
group:
type: string
kind:
type: string
version:
type: string
required:
- group
- kind
- version
type: object
name:
description: Name is the name of the object as presented
in the request. On a CREATE operation, the client may
omit name and rely on the server to generate the name. If
that is the case, this field will contain an empty string.
type: string
namespace:
description: Namespace is the namespace associated with
the request (if any).
type: string
object:
description: Object is the object from the incoming request.
type: object
x-kubernetes-preserve-unknown-fields: true
oldObject:
description: OldObject is the existing object. Only populated
for DELETE and UPDATE requests.
type: object
x-kubernetes-preserve-unknown-fields: true
operation:
description: Operation is the operation being performed.
This may be different than the operation requested.
e.g. a patch can result in either a CREATE or UPDATE
Operation.
type: string
options:
description: Options is the operation option structure
of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions`
or `meta.k8s.io/v1.CreateOptions`. This may be different
than the options the caller provided. e.g. for a patch
request the performed Operation might be a CREATE, in
which case the Options will a `meta.k8s.io/v1.CreateOptions`
even though the caller provided `meta.k8s.io/v1.PatchOptions`.
type: object
x-kubernetes-preserve-unknown-fields: true
requestKind:
description: "RequestKind is the fully-qualified type
of the original API request (for example, v1.Pod or
autoscaling.v1.Scale). If this is specified and differs
from the value in \"kind\", an equivalent match and
conversion was performed. \n For example, if deployments
can be modified via apps/v1 and apps/v1beta1, and a
webhook registered a rule of `apiGroups:[\"apps\"],
apiVersions:[\"v1\"], resources: [\"deployments\"]`
and `matchPolicy: Equivalent`, an API request to apps/v1beta1
deployments would be converted and sent to the webhook
with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}`
(matching the rule the webhook registered for), and
`requestKind: {group:\"apps\", version:\"v1beta1\",
kind:\"Deployment\"}` (indicating the kind of the original
API request). \n See documentation for the \"matchPolicy\"
field in the webhook configuration type for more details."
properties:
group:
type: string
kind:
type: string
version:
type: string
required:
- group
- kind
- version
type: object
requestResource:
description: "RequestResource is the fully-qualified resource
of the original API request (for example, v1.pods).
If this is specified and differs from the value in \"resource\",
an equivalent match and conversion was performed. \n
For example, if deployments can be modified via apps/v1
and apps/v1beta1, and a webhook registered a rule of
`apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources:
[\"deployments\"]` and `matchPolicy: Equivalent`, an
API request to apps/v1beta1 deployments would be converted
and sent to the webhook with `resource: {group:\"apps\",
version:\"v1\", resource:\"deployments\"}` (matching
the resource the webhook registered for), and `requestResource:
{group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}`
(indicating the resource of the original API request).
\n See documentation for the \"matchPolicy\" field in
the webhook configuration type."
properties:
group:
type: string
resource:
type: string
version:
type: string
required:
- group
- resource
- version
type: object
requestSubResource:
description: RequestSubResource is the name of the subresource
of the original API request, if any (for example, "status"
or "scale") If this is specified and differs from the
value in "subResource", an equivalent match and conversion
was performed. See documentation for the "matchPolicy"
field in the webhook configuration type.
type: string
resource:
description: Resource is the fully-qualified resource
being requested (for example, v1.pods)
properties:
group:
type: string
resource:
type: string
version:
type: string
required:
- group
- resource
- version
type: object
subResource:
description: SubResource is the subresource being requested,
if any (for example, "status" or "scale")
type: string
uid:
description: UID is an identifier for the individual request/response.
It allows us to distinguish instances of requests which
are otherwise identical (parallel requests, requests
when earlier requests did not modify etc) The UID is
meant to track the round trip (request/response) between
the KAS and the WebHook, not the user request. It is
suitable for correlating log entries between the webhook
and apiserver, for either auditing or debugging.
type: string
userInfo:
description: UserInfo is information about the requesting
user
properties:
extra:
additionalProperties:
description: ExtraValue masks the value so protobuf
can generate
items:
type: string
type: array
description: Any additional information provided by
the authenticator.
type: object
groups:
description: The names of groups this user is a part
of.
items:
type: string
type: array
uid:
description: A unique value that identifies this user
across time. If this user is deleted and another
user by the same name is added, they will have different
UIDs.
type: string
username:
description: The name that uniquely identifies this
user among all active users.
type: string
type: object
required:
- kind
- operation
- resource
- uid
- userInfo
type: object
operation:
description: Operation is the type of resource operation being
checked for admission control
@ -7020,12 +7168,6 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: v1
kind: ServiceAccount

4
docs/crd/v1beta1/index.html
View file

@ -178,7 +178,9 @@ UpdateRequestStatus
<td>
<code>admissionRequest</code></br>
<em>
string
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#admissionrequest-v1-admission">
Kubernetes admission/v1.AdmissionRequest
</a>
</em>
</td>
<td>

18
pkg/background/common/context.go
View file

@ -1,7 +1,6 @@
package common
import (
"encoding/json"
"fmt"
"reflect"
@ -14,7 +13,6 @@ import (
"github.com/kyverno/kyverno/pkg/engine/context"
utils "github.com/kyverno/kyverno/pkg/utils"
"github.com/pkg/errors"
admissionv1 "k8s.io/api/admission/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)
@ -26,21 +24,15 @@ func NewBackgroundContext(dclient dclient.Interface, ur *kyvernov1beta1.UpdateRe
logger logr.Logger,
) (*engine.PolicyContext, bool, error) {
ctx := context.NewContext()
requestString := ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest
var request admissionv1.AdmissionRequest
var new, old unstructured.Unstructured
var err error
if requestString != "" {
err := json.Unmarshal([]byte(requestString), &request)
if err != nil {
return nil, false, errors.Wrap(err, "error parsing the request string")
}
if err := ctx.AddRequest(&request); err != nil {
if ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest != nil {
if err := ctx.AddRequest(ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest); err != nil {
return nil, false, errors.Wrap(err, "failed to load request in context")
}
new, old, err = utils.ExtractResources(nil, &request)
new, old, err = utils.ExtractResources(nil, ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest)
if err != nil {
return nil, false, errors.Wrap(err, "failed to load request in context")
}
@ -61,7 +53,7 @@ func NewBackgroundContext(dclient dclient.Interface, ur *kyvernov1beta1.UpdateRe
return nil, false, errors.New("trigger resource does not exist")
}
err := ctx.AddResource(trigger.Object)
err = ctx.AddResource(trigger.Object)
if err != nil {
return nil, false, errors.Wrap(err, "failed to load resource in context")
}

7
pkg/webhooks/resource/utils.go
View file

@ -5,7 +5,6 @@ import (
"fmt"
"strings"
"github.com/gardener/controller-manager-library/pkg/logger"
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
@ -318,12 +317,8 @@ func stripNonPolicyFields(obj, newRes map[string]interface{}, logger logr.Logger
func applyUpdateRequest(request *admissionv1.AdmissionRequest, ruleType kyvernov1beta1.RequestType, grGenerator updaterequest.Generator, userRequestInfo kyvernov1beta1.RequestInfo,
action admissionv1.Operation, engineResponses ...*response.EngineResponse,
) (failedUpdateRequest []updateRequestResponse) {
requestBytes, err := json.Marshal(request)
if err != nil {
logger.Error(err, "error loading request into context")
}
admissionRequestInfo := kyvernov1beta1.AdmissionRequestInfoObject{
AdmissionRequest: string(requestBytes),
AdmissionRequest: request,
Operation: action,
}