mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 02:18:15 +00:00
feat: ignore admission requests sent by the kyverno background controller (#6499)
* ignore ARs sent by the kyverno background controller Signed-off-by: ShutingZhao <shuting@nirmata.com> * add a kuttl test Signed-off-by: ShutingZhao <shuting@nirmata.com> * add background controller sa to exclude usernames Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting
GitHub
parent
4bd2e42b96
commit
dbfeb75793
9 changed files with 41 additions and 1 deletions
|
|
@ -193,6 +193,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| config.defaultRegistry | string | `"docker.io"` | The registry hostname used for the image mutation. |
|
||||
| config.excludeGroupRole | list | `[]` | Exclude group role |
|
||||
| config.excludeUsername | list | `[]` | Exclude username |
|
||||
| config.excludeBackgroundUsernames | list | `[]` | Exclude usernames for mutateExisting and generate policies |
|
||||
| config.generateSuccessEvents | bool | `false` | Generate success events. |
|
||||
| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
|
||||
| config.webhooks | list | `[]` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
|
||||
|
|
|
|||
|
|
@ -19,6 +19,13 @@ data:
|
|||
{{- with .Values.config.excludeGroupRole }}
|
||||
excludeGroupRole: {{ join "," . | quote }}
|
||||
{{- end -}}
|
||||
{{- $backgroundUsernames := (printf "system:serviceaccount:%s:%s" (include "kyverno.namespace" .) (include "kyverno.background-controller.serviceAccountName" .)) }}
|
||||
{{- if .Values.config.excludeBackgroundUsernames }}
|
||||
{{- $backgroundUsernames = prepend .Values.config.excludeBackgroundUsernames $backgroundUsernames}}
|
||||
excludeBackgroundUsernames: {{ join "," $backgroundUsernames | quote }}
|
||||
{{- else }}
|
||||
excludeBackgroundUsernames: {{ $backgroundUsernames }}
|
||||
{{- end -}}
|
||||
{{- with .Values.config.excludeUsername }}
|
||||
excludeUsername: {{ join "," . | quote }}
|
||||
{{- end -}}
|
||||
|
|
|
|||
|
|
@ -49,6 +49,9 @@ config:
|
|||
# -- Exclude username
|
||||
excludeUsername: []
|
||||
|
||||
# -- Exclude usernames for mutateExisting and generate policies
|
||||
excludeBackgroundUsernames: []
|
||||
|
||||
# -- Generate success events.
|
||||
generateSuccessEvents: false
|
||||
|
||||
|
|
@ -1093,7 +1096,7 @@ backgroundController:
|
|||
- key: app.kubernetes.io/component
|
||||
operator: In
|
||||
values:
|
||||
- reports-controller
|
||||
- background-controller
|
||||
topologyKey: kubernetes.io/hostname
|
||||
|
||||
# -- Pod affinity constraints.
|
||||
|
|
|
|||
1
go.mod
1
go.mod
|
|
@ -68,6 +68,7 @@ require (
|
|||
k8s.io/api v0.26.2
|
||||
k8s.io/apiextensions-apiserver v0.26.2
|
||||
k8s.io/apimachinery v0.26.2
|
||||
k8s.io/apiserver v0.26.2
|
||||
k8s.io/cli-runtime v0.26.2
|
||||
k8s.io/client-go v0.26.2
|
||||
k8s.io/klog/v2 v2.90.1
|
||||
|
|
|
|||
2
go.sum
2
go.sum
|
|
@ -2163,6 +2163,8 @@ k8s.io/apimachinery v0.26.2 h1:da1u3D5wfR5u2RpLhE/ZtZS2P7QvDgLZTi9wrNZl/tQ=
|
|||
k8s.io/apimachinery v0.26.2/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I=
|
||||
k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU=
|
||||
k8s.io/apiserver v0.20.2/go.mod h1:2nKd93WyMhZx4Hp3RfgH2K5PhwyTrprrkWYnI7id7jA=
|
||||
k8s.io/apiserver v0.26.2 h1:Pk8lmX4G14hYqJd1poHGC08G03nIHVqdJMR0SD3IH3o=
|
||||
k8s.io/apiserver v0.26.2/go.mod h1:GHcozwXgXsPuOJ28EnQ/jXEM9QeG6HT22YxSNmpYNh8=
|
||||
k8s.io/cli-runtime v0.26.2 h1:6XcIQOYW1RGNwFgRwejvyUyAojhToPmJLGr0JBMC5jw=
|
||||
k8s.io/cli-runtime v0.26.2/go.mod h1:U7sIXX7n6ZB+MmYQsyJratzPeJwgITqrSlpr1a5wM5I=
|
||||
k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y=
|
||||
|
|
|
|||
|
|
@ -143,6 +143,8 @@ type Configuration interface {
|
|||
GetExcludedGroups() []string
|
||||
// GetExcludedUsernames return exclude usernames
|
||||
GetExcludedUsernames() []string
|
||||
// GetExcludedBackgroundUsernames return exclude usernames for mutateExisting and generate policies
|
||||
GetExcludedBackgroundUsernames() []string
|
||||
// GetGenerateSuccessEvents return if should generate success events
|
||||
GetGenerateSuccessEvents() bool
|
||||
// GetWebhooks returns the webhook configs
|
||||
|
|
@ -157,6 +159,7 @@ type configuration struct {
|
|||
enableDefaultRegistryMutation bool
|
||||
excludedGroups []string
|
||||
excludedUsernames []string
|
||||
excludeBackgroundUsernames []string
|
||||
filters []filter
|
||||
generateSuccessEvents bool
|
||||
mux sync.RWMutex
|
||||
|
|
@ -221,6 +224,12 @@ func (cd *configuration) GetExcludedUsernames() []string {
|
|||
return cd.excludedUsernames
|
||||
}
|
||||
|
||||
func (cd *configuration) GetExcludedBackgroundUsernames() []string {
|
||||
cd.mux.RLock()
|
||||
defer cd.mux.RUnlock()
|
||||
return cd.excludeBackgroundUsernames
|
||||
}
|
||||
|
||||
func (cd *configuration) GetExcludedGroups() []string {
|
||||
cd.mux.RLock()
|
||||
defer cd.mux.RUnlock()
|
||||
|
|
@ -300,6 +309,13 @@ func (cd *configuration) load(cm *corev1.ConfigMap) {
|
|||
} else {
|
||||
cd.excludedUsernames = parseRbac(excludedUsernames)
|
||||
}
|
||||
// load excludeBackgroundUsernames
|
||||
excludeBackgroundUsernames, ok := cm.Data["excludeBackgroundUsernames"]
|
||||
if !ok {
|
||||
logger.V(6).Info("configuration: No excludeBackgroundUsernames defined in ConfigMap")
|
||||
} else {
|
||||
cd.excludeBackgroundUsernames = parseRbac(excludeBackgroundUsernames)
|
||||
}
|
||||
// load generateSuccessEvents
|
||||
generateSuccessEvents, ok := cm.Data["generateSuccessEvents"]
|
||||
if ok {
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/event"
|
||||
"github.com/kyverno/kyverno/pkg/utils/wildcard"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks/resource/generation"
|
||||
webhookutils "github.com/kyverno/kyverno/pkg/webhooks/utils"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
|
|
@ -18,6 +19,11 @@ import (
|
|||
|
||||
// handleBackgroundApplies applies generate and mutateExisting policies, and creates update requests for background reconcile
|
||||
func (h *handlers) handleBackgroundApplies(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, policyContext *engine.PolicyContext, generatePolicies, mutatePolicies []kyvernov1.PolicyInterface, ts time.Time) {
|
||||
for _, username := range h.configuration.GetExcludedBackgroundUsernames() {
|
||||
if wildcard.Match(username, policyContext.AdmissionInfo().AdmissionUserInfo.Username) {
|
||||
return
|
||||
}
|
||||
}
|
||||
go h.handleMutateExisting(ctx, logger, request, mutatePolicies, policyContext, ts)
|
||||
h.handleGenerate(ctx, logger, request, generatePolicies, policyContext, ts)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: sleep 3
|
||||
Loading…
Add table
Reference in a new issue