From df105ff5963eb5e9aba7eec609c4378088209e21 Mon Sep 17 00:00:00 2001
From: shuting <shutting06@gmail.com>
Date: Wed, 5 Jan 2022 15:47:42 +0800
Subject: [PATCH] Improve endpoint check (#2902)

* improve endpoint checks

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update make target for the local build

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* remove debug log

Signed-off-by: ShutingZhao <shuting@nirmata.com>
---
 Makefile                          |  2 +-
 pkg/webhookconfig/registration.go | 36 +++++++++++++++++++++++++------
 2 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/Makefile b/Makefile
index abe11176bd..ab3b93286e 100644
--- a/Makefile
+++ b/Makefile
@@ -141,7 +141,7 @@ docker-build-kyverno: docker-buildx-builder
 docker-build-kyverno-local:
 	CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(KYVERNO_PATH)/kyverno -tags $(TAGS) -ldflags=$(LD_FLAGS_DEV) $(PWD)/$(KYVERNO_PATH)/main.go
 	@docker build -f $(PWD)/$(KYVERNO_PATH)/localDockerfile -t $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) $(PWD)/$(KYVERNO_PATH)
-	@docker tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest
+	@docker tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest
 
 docker-build-kyverno-amd64:
 	@docker build -f $(PWD)/$(KYVERNO_PATH)/Dockerfile -t $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TARGETPLATFORM="linux/amd64" --build-arg TAGS=$(TAGS)
diff --git a/pkg/webhookconfig/registration.go b/pkg/webhookconfig/registration.go
index 8317b4ab18..d25ddc997c 100644
--- a/pkg/webhookconfig/registration.go
+++ b/pkg/webhookconfig/registration.go
@@ -14,6 +14,7 @@ import (
 	client "github.com/kyverno/kyverno/pkg/dclient"
 	"github.com/kyverno/kyverno/pkg/resourcecache"
 	"github.com/kyverno/kyverno/pkg/tls"
+	"github.com/kyverno/kyverno/pkg/utils"
 	"github.com/pkg/errors"
 	admregapi "k8s.io/api/admissionregistration/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -621,13 +622,12 @@ func (wrc *Register) checkEndpoint() error {
 		return fmt.Errorf("failed to list Kyverno Pod: %v", err)
 	}
 
-	kyverno := pods.Items[0]
-	podIP, _, err := unstructured.NestedString(kyverno.UnstructuredContent(), "status", "podIP")
-	if err != nil {
-		return fmt.Errorf("failed to extract pod IP: %v", err)
+	ips, errs := getHealthyPodsIP(pods.Items)
+	if len(errs) != 0 {
+		return fmt.Errorf("error getting pod's IP: %v", errs)
 	}
 
-	if podIP == "" {
+	if len(ips) == 0 {
 		return fmt.Errorf("pod is not assigned to any node yet")
 	}
 
@@ -637,7 +637,7 @@ func (wrc *Register) checkEndpoint() error {
 		}
 
 		for _, addr := range subset.Addresses {
-			if addr.IP == podIP {
+			if utils.ContainsString(ips, addr.IP) {
 				wrc.log.Info("Endpoint ready", "ns", config.KyvernoNamespace, "name", config.KyvernoServiceName)
 				return nil
 			}
@@ -652,6 +652,30 @@ func (wrc *Register) checkEndpoint() error {
 	return err
 }
 
+func getHealthyPodsIP(pods []unstructured.Unstructured) (ips []string, errs []error) {
+	for _, pod := range pods {
+		phase, _, err := unstructured.NestedString(pod.UnstructuredContent(), "status", "phase")
+		if err != nil {
+			errs = append(errs, fmt.Errorf("failed to get pod %s status: %v", pod.GetName(), err))
+			continue
+		}
+
+		if phase != "Running" {
+			continue
+		}
+
+		ip, _, err := unstructured.NestedString(pod.UnstructuredContent(), "status", "podIP")
+		if err != nil {
+			errs = append(errs, fmt.Errorf("failed to extract pod %s IP: %v", pod.GetName(), err))
+			continue
+		}
+
+		ips = append(ips, ip)
+	}
+
+	return
+}
+
 func (wrc *Register) updateResourceValidatingWebhookConfiguration(nsSelector map[string]interface{}) error {
 	validatingCache, _ := wrc.resCache.GetGVRCache(kindValidating)