mirror of
https://github.com/kyverno/kyverno.git
synced 2025-01-20 18:52:16 +00:00
fix conflicts (#7109)
Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
parent
c845c0dc02
commit
e76c2bb325
12 changed files with 122 additions and 45 deletions
|
@ -1,3 +1,9 @@
|
||||||
|
## v1.9.3
|
||||||
|
|
||||||
|
### Note
|
||||||
|
|
||||||
|
- Added support for configuring webhook annotations in the config map through `webhookAnnotations` stanza.
|
||||||
|
|
||||||
## v1.9.0-rc.1
|
## v1.9.0-rc.1
|
||||||
|
|
||||||
### Note
|
### Note
|
||||||
|
|
|
@ -26,7 +26,5 @@ annotations:
|
||||||
url: https://kyverno.io/docs
|
url: https://kyverno.io/docs
|
||||||
# valid kinds are: added, changed, deprecated, removed, fixed and security
|
# valid kinds are: added, changed, deprecated, removed, fixed and security
|
||||||
artifacthub.io/changes: |
|
artifacthub.io/changes: |
|
||||||
- kind: changed
|
- kind: added
|
||||||
description: Syntax change for webhooksCleanup switch to match with the rest of the file
|
description: support for webhook annotations in config map
|
||||||
- kind: fixed
|
|
||||||
description: Handle multiple extraArgs in init container
|
|
||||||
|
|
|
@ -186,6 +186,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||||
| config.generateSuccessEvents | bool | `false` | Generate success events. |
|
| config.generateSuccessEvents | bool | `false` | Generate success events. |
|
||||||
| config.metricsConfig | object | `{"annotations":{},"namespaces":{"exclude":[],"include":[]}}` | Metrics config. |
|
| config.metricsConfig | object | `{"annotations":{},"namespaces":{"exclude":[],"include":[]}}` | Metrics config. |
|
||||||
| config.metricsConfig.annotations | object | `{}` | Additional annotations to add to the metricsconfigmap |
|
| config.metricsConfig.annotations | object | `{}` | Additional annotations to add to the metricsconfigmap |
|
||||||
|
| config.webhookAnnotations | object | `{}` | Defines annotations to set on webhook configurations. |
|
||||||
| updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
|
| updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
|
||||||
| service.port | int | `443` | Service port. |
|
| service.port | int | `443` | Service port. |
|
||||||
| service.type | string | `"ClusterIP"` | Service type. |
|
| service.type | string | `"ClusterIP"` | Service type. |
|
||||||
|
|
|
@ -31,4 +31,7 @@ data:
|
||||||
{{- if .Values.config.generateSuccessEvents }}
|
{{- if .Values.config.generateSuccessEvents }}
|
||||||
generateSuccessEvents: {{ .Values.config.generateSuccessEvents | quote }}
|
generateSuccessEvents: {{ .Values.config.generateSuccessEvents | quote }}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
{{- with .Values.config.webhookAnnotations }}
|
||||||
|
webhookAnnotations: {{ toJson . | quote }}
|
||||||
|
{{- end }}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
|
@ -392,6 +392,12 @@ config:
|
||||||
|
|
||||||
# Or provide an existing metrics config-map by uncommenting the below line
|
# Or provide an existing metrics config-map by uncommenting the below line
|
||||||
# existingMetricsConfig: sample-metrics-configmap. Refer to the ./templates/metricsconfigmap.yaml for the structure of metrics configmap.
|
# existingMetricsConfig: sample-metrics-configmap. Refer to the ./templates/metricsconfigmap.yaml for the structure of metrics configmap.
|
||||||
|
|
||||||
|
# -- Defines annotations to set on webhook configurations.
|
||||||
|
webhookAnnotations: {}
|
||||||
|
# Example to disable admission enforcer on AKS:
|
||||||
|
# 'admissions.enforcer/disabled': 'true'
|
||||||
|
|
||||||
# -- Deployment update strategy.
|
# -- Deployment update strategy.
|
||||||
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
|
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
|
||||||
# @default -- See [values.yaml](values.yaml)
|
# @default -- See [values.yaml](values.yaml)
|
||||||
|
|
|
@ -121,6 +121,7 @@ func main() {
|
||||||
kubeClient.AdmissionregistrationV1().ValidatingWebhookConfigurations(),
|
kubeClient.AdmissionregistrationV1().ValidatingWebhookConfigurations(),
|
||||||
kubeInformer.Admissionregistration().V1().ValidatingWebhookConfigurations(),
|
kubeInformer.Admissionregistration().V1().ValidatingWebhookConfigurations(),
|
||||||
kubeKyvernoInformer.Core().V1().Secrets(),
|
kubeKyvernoInformer.Core().V1().Secrets(),
|
||||||
|
kubeKyvernoInformer.Core().V1().ConfigMaps(),
|
||||||
config.CleanupValidatingWebhookConfigurationName,
|
config.CleanupValidatingWebhookConfigurationName,
|
||||||
config.CleanupValidatingWebhookServicePath,
|
config.CleanupValidatingWebhookServicePath,
|
||||||
serverIP,
|
serverIP,
|
||||||
|
|
|
@ -321,6 +321,7 @@ func createrLeaderControllers(
|
||||||
kubeClient.AdmissionregistrationV1().ValidatingWebhookConfigurations(),
|
kubeClient.AdmissionregistrationV1().ValidatingWebhookConfigurations(),
|
||||||
kubeInformer.Admissionregistration().V1().ValidatingWebhookConfigurations(),
|
kubeInformer.Admissionregistration().V1().ValidatingWebhookConfigurations(),
|
||||||
kubeKyvernoInformer.Core().V1().Secrets(),
|
kubeKyvernoInformer.Core().V1().Secrets(),
|
||||||
|
kubeKyvernoInformer.Core().V1().ConfigMaps(),
|
||||||
config.ExceptionValidatingWebhookConfigurationName,
|
config.ExceptionValidatingWebhookConfigurationName,
|
||||||
config.ExceptionValidatingWebhookServicePath,
|
config.ExceptionValidatingWebhookServicePath,
|
||||||
serverIP,
|
serverIP,
|
||||||
|
|
|
@ -6,7 +6,7 @@ import (
|
||||||
"sync"
|
"sync"
|
||||||
|
|
||||||
osutils "github.com/kyverno/kyverno/pkg/utils/os"
|
osutils "github.com/kyverno/kyverno/pkg/utils/os"
|
||||||
wildcard "github.com/kyverno/kyverno/pkg/utils/wildcard"
|
"github.com/kyverno/kyverno/pkg/utils/wildcard"
|
||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
"k8s.io/apimachinery/pkg/api/errors"
|
"k8s.io/apimachinery/pkg/api/errors"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
@ -142,18 +142,21 @@ type Configuration interface {
|
||||||
FilterNamespaces(namespaces []string) []string
|
FilterNamespaces(namespaces []string) []string
|
||||||
// GetWebhooks returns the webhook configs
|
// GetWebhooks returns the webhook configs
|
||||||
GetWebhooks() []WebhookConfig
|
GetWebhooks() []WebhookConfig
|
||||||
|
// GetWebhookAnnotations returns annotations to set on webhook configs
|
||||||
|
GetWebhookAnnotations() map[string]string
|
||||||
// Load loads configuration from a configmap
|
// Load loads configuration from a configmap
|
||||||
Load(cm *corev1.ConfigMap)
|
Load(cm *corev1.ConfigMap)
|
||||||
}
|
}
|
||||||
|
|
||||||
// configuration stores the configuration
|
// configuration stores the configuration
|
||||||
type configuration struct {
|
type configuration struct {
|
||||||
mux sync.RWMutex
|
|
||||||
filters []filter
|
filters []filter
|
||||||
excludeGroupRole []string
|
excludeGroupRole []string
|
||||||
excludeUsername []string
|
excludeUsername []string
|
||||||
webhooks []WebhookConfig
|
webhooks []WebhookConfig
|
||||||
generateSuccessEvents bool
|
generateSuccessEvents bool
|
||||||
|
webhookAnnotations map[string]string
|
||||||
|
mux sync.RWMutex
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewDefaultConfiguration ...
|
// NewDefaultConfiguration ...
|
||||||
|
@ -227,6 +230,12 @@ func (cd *configuration) GetWebhooks() []WebhookConfig {
|
||||||
return cd.webhooks
|
return cd.webhooks
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (cd *configuration) GetWebhookAnnotations() map[string]string {
|
||||||
|
cd.mux.RLock()
|
||||||
|
defer cd.mux.RUnlock()
|
||||||
|
return cd.webhookAnnotations
|
||||||
|
}
|
||||||
|
|
||||||
func (cd *configuration) Load(cm *corev1.ConfigMap) {
|
func (cd *configuration) Load(cm *corev1.ConfigMap) {
|
||||||
if cm != nil {
|
if cm != nil {
|
||||||
cd.load(cm)
|
cd.load(cm)
|
||||||
|
@ -275,6 +284,16 @@ func (cd *configuration) load(cm *corev1.ConfigMap) {
|
||||||
cd.webhooks = webhooks
|
cd.webhooks = webhooks
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
// load webhook annotations
|
||||||
|
webhookAnnotations, ok := cm.Data["webhookAnnotations"]
|
||||||
|
if ok {
|
||||||
|
webhookAnnotations, err := parseWebhookAnnotations(webhookAnnotations)
|
||||||
|
if err != nil {
|
||||||
|
logger.Error(err, "failed to parse webhook annotations")
|
||||||
|
} else {
|
||||||
|
cd.webhookAnnotations = webhookAnnotations
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (cd *configuration) unload() {
|
func (cd *configuration) unload() {
|
||||||
|
@ -286,4 +305,5 @@ func (cd *configuration) unload() {
|
||||||
cd.generateSuccessEvents = false
|
cd.generateSuccessEvents = false
|
||||||
cd.webhooks = nil
|
cd.webhooks = nil
|
||||||
cd.excludeGroupRole = append(cd.excludeGroupRole, defaultExcludeGroupRole...)
|
cd.excludeGroupRole = append(cd.excludeGroupRole, defaultExcludeGroupRole...)
|
||||||
|
cd.webhookAnnotations = nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -21,6 +21,14 @@ func parseWebhooks(webhooks string) ([]WebhookConfig, error) {
|
||||||
return webhookCfgs, nil
|
return webhookCfgs, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func parseWebhookAnnotations(in string) (map[string]string, error) {
|
||||||
|
var out map[string]string
|
||||||
|
if err := json.Unmarshal([]byte(in), &out); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return out, nil
|
||||||
|
}
|
||||||
|
|
||||||
func parseRbac(list string) []string {
|
func parseRbac(list string) []string {
|
||||||
return strings.Split(list, ",")
|
return strings.Split(list, ",")
|
||||||
}
|
}
|
||||||
|
|
|
@ -40,8 +40,9 @@ type controller struct {
|
||||||
vwcClient controllerutils.ObjectClient[*admissionregistrationv1.ValidatingWebhookConfiguration]
|
vwcClient controllerutils.ObjectClient[*admissionregistrationv1.ValidatingWebhookConfiguration]
|
||||||
|
|
||||||
// listers
|
// listers
|
||||||
vwcLister admissionregistrationv1listers.ValidatingWebhookConfigurationLister
|
vwcLister admissionregistrationv1listers.ValidatingWebhookConfigurationLister
|
||||||
secretLister corev1listers.SecretNamespaceLister
|
secretLister corev1listers.SecretNamespaceLister
|
||||||
|
configMapLister corev1listers.ConfigMapLister
|
||||||
|
|
||||||
// queue
|
// queue
|
||||||
queue workqueue.RateLimitingInterface
|
queue workqueue.RateLimitingInterface
|
||||||
|
@ -62,6 +63,7 @@ func NewController(
|
||||||
vwcClient controllerutils.ObjectClient[*admissionregistrationv1.ValidatingWebhookConfiguration],
|
vwcClient controllerutils.ObjectClient[*admissionregistrationv1.ValidatingWebhookConfiguration],
|
||||||
vwcInformer admissionregistrationv1informers.ValidatingWebhookConfigurationInformer,
|
vwcInformer admissionregistrationv1informers.ValidatingWebhookConfigurationInformer,
|
||||||
secretInformer corev1informers.SecretInformer,
|
secretInformer corev1informers.SecretInformer,
|
||||||
|
configMapInformer corev1informers.ConfigMapInformer,
|
||||||
webhookName string,
|
webhookName string,
|
||||||
path string,
|
path string,
|
||||||
server string,
|
server string,
|
||||||
|
@ -71,18 +73,19 @@ func NewController(
|
||||||
) controllers.Controller {
|
) controllers.Controller {
|
||||||
queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), controllerName)
|
queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), controllerName)
|
||||||
c := controller{
|
c := controller{
|
||||||
vwcClient: vwcClient,
|
vwcClient: vwcClient,
|
||||||
vwcLister: vwcInformer.Lister(),
|
vwcLister: vwcInformer.Lister(),
|
||||||
secretLister: secretInformer.Lister().Secrets(config.KyvernoNamespace()),
|
secretLister: secretInformer.Lister().Secrets(config.KyvernoNamespace()),
|
||||||
queue: queue,
|
configMapLister: configMapInformer.Lister(),
|
||||||
controllerName: controllerName,
|
queue: queue,
|
||||||
logger: logging.ControllerLogger(controllerName),
|
controllerName: controllerName,
|
||||||
webhookName: webhookName,
|
logger: logging.ControllerLogger(controllerName),
|
||||||
path: path,
|
webhookName: webhookName,
|
||||||
server: server,
|
path: path,
|
||||||
rules: rules,
|
server: server,
|
||||||
failurePolicy: failurePolicy,
|
rules: rules,
|
||||||
sideEffects: sideEffects,
|
failurePolicy: failurePolicy,
|
||||||
|
sideEffects: sideEffects,
|
||||||
}
|
}
|
||||||
controllerutils.AddDefaultEventHandlers(c.logger, vwcInformer.Informer(), queue)
|
controllerutils.AddDefaultEventHandlers(c.logger, vwcInformer.Informer(), queue)
|
||||||
controllerutils.AddEventHandlersT(
|
controllerutils.AddEventHandlersT(
|
||||||
|
@ -103,6 +106,24 @@ func NewController(
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
|
controllerutils.AddEventHandlersT(
|
||||||
|
configMapInformer.Informer(),
|
||||||
|
func(obj *corev1.ConfigMap) {
|
||||||
|
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.KyvernoConfigMapName() {
|
||||||
|
c.enqueue()
|
||||||
|
}
|
||||||
|
},
|
||||||
|
func(_, obj *corev1.ConfigMap) {
|
||||||
|
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.KyvernoConfigMapName() {
|
||||||
|
c.enqueue()
|
||||||
|
}
|
||||||
|
},
|
||||||
|
func(obj *corev1.ConfigMap) {
|
||||||
|
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.KyvernoConfigMapName() {
|
||||||
|
c.enqueue()
|
||||||
|
}
|
||||||
|
},
|
||||||
|
)
|
||||||
return &c
|
return &c
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -115,6 +136,15 @@ func (c *controller) enqueue() {
|
||||||
c.queue.Add(c.webhookName)
|
c.queue.Add(c.webhookName)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c *controller) loadConfig() config.Configuration {
|
||||||
|
cfg := config.NewDefaultConfiguration()
|
||||||
|
cm, err := c.configMapLister.ConfigMaps(config.KyvernoNamespace()).Get(config.KyvernoConfigMapName())
|
||||||
|
if err == nil {
|
||||||
|
cfg.Load(cm)
|
||||||
|
}
|
||||||
|
return cfg
|
||||||
|
}
|
||||||
|
|
||||||
func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _, _ string) error {
|
func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _, _ string) error {
|
||||||
if key != c.webhookName {
|
if key != c.webhookName {
|
||||||
return nil
|
return nil
|
||||||
|
@ -123,7 +153,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _,
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
desired, err := c.build(caData)
|
desired, err := c.build(c.loadConfig(), caData)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -137,6 +167,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _,
|
||||||
}
|
}
|
||||||
_, err = controllerutils.Update(ctx, observed, c.vwcClient, func(w *admissionregistrationv1.ValidatingWebhookConfiguration) error {
|
_, err = controllerutils.Update(ctx, observed, c.vwcClient, func(w *admissionregistrationv1.ValidatingWebhookConfiguration) error {
|
||||||
w.Labels = desired.Labels
|
w.Labels = desired.Labels
|
||||||
|
w.Annotations = desired.Annotations
|
||||||
w.OwnerReferences = desired.OwnerReferences
|
w.OwnerReferences = desired.OwnerReferences
|
||||||
w.Webhooks = desired.Webhooks
|
w.Webhooks = desired.Webhooks
|
||||||
return nil
|
return nil
|
||||||
|
@ -144,19 +175,20 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _,
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
func objectMeta(name string, owner ...metav1.OwnerReference) metav1.ObjectMeta {
|
func objectMeta(name string, annotations map[string]string, owner ...metav1.OwnerReference) metav1.ObjectMeta {
|
||||||
return metav1.ObjectMeta{
|
return metav1.ObjectMeta{
|
||||||
Name: name,
|
Name: name,
|
||||||
Labels: map[string]string{
|
Labels: map[string]string{
|
||||||
utils.ManagedByLabel: kyvernov1.ValueKyvernoApp,
|
utils.ManagedByLabel: kyvernov1.ValueKyvernoApp,
|
||||||
},
|
},
|
||||||
|
Annotations: annotations,
|
||||||
OwnerReferences: owner,
|
OwnerReferences: owner,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *controller) build(caBundle []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
|
func (c *controller) build(cfg config.Configuration, caBundle []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
|
||||||
return &admissionregistrationv1.ValidatingWebhookConfiguration{
|
return &admissionregistrationv1.ValidatingWebhookConfiguration{
|
||||||
ObjectMeta: objectMeta(c.webhookName),
|
ObjectMeta: objectMeta(c.webhookName, cfg.GetWebhookAnnotations()),
|
||||||
Webhooks: []admissionregistrationv1.ValidatingWebhook{{
|
Webhooks: []admissionregistrationv1.ValidatingWebhook{{
|
||||||
Name: fmt.Sprintf("%s.%s.svc", config.KyvernoServiceName(), config.KyvernoNamespace()),
|
Name: fmt.Sprintf("%s.%s.svc", config.KyvernoServiceName(), config.KyvernoNamespace()),
|
||||||
ClientConfig: c.clientConfig(caBundle),
|
ClientConfig: c.clientConfig(caBundle),
|
||||||
|
|
|
@ -361,12 +361,12 @@ func (c *controller) reconcileVerifyMutatingWebhookConfiguration(ctx context.Con
|
||||||
return c.reconcileMutatingWebhookConfiguration(ctx, true, c.buildVerifyMutatingWebhookConfiguration)
|
return c.reconcileMutatingWebhookConfiguration(ctx, true, c.buildVerifyMutatingWebhookConfiguration)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func([]byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error)) error {
|
func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(config.Configuration, []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error)) error {
|
||||||
caData, err := tls.ReadRootCASecret(c.secretLister.Secrets(config.KyvernoNamespace()))
|
caData, err := tls.ReadRootCASecret(c.secretLister.Secrets(config.KyvernoNamespace()))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
desired, err := build(caData)
|
desired, err := build(c.loadConfig(), caData)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -383,6 +383,7 @@ func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context
|
||||||
}
|
}
|
||||||
_, err = controllerutils.Update(ctx, observed, c.vwcClient, func(w *admissionregistrationv1.ValidatingWebhookConfiguration) error {
|
_, err = controllerutils.Update(ctx, observed, c.vwcClient, func(w *admissionregistrationv1.ValidatingWebhookConfiguration) error {
|
||||||
w.Labels = desired.Labels
|
w.Labels = desired.Labels
|
||||||
|
w.Annotations = desired.Annotations
|
||||||
w.OwnerReferences = desired.OwnerReferences
|
w.OwnerReferences = desired.OwnerReferences
|
||||||
w.Webhooks = desired.Webhooks
|
w.Webhooks = desired.Webhooks
|
||||||
return nil
|
return nil
|
||||||
|
@ -390,12 +391,12 @@ func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *controller) reconcileMutatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func([]byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error)) error {
|
func (c *controller) reconcileMutatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(config.Configuration, []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error)) error {
|
||||||
caData, err := tls.ReadRootCASecret(c.secretLister.Secrets(config.KyvernoNamespace()))
|
caData, err := tls.ReadRootCASecret(c.secretLister.Secrets(config.KyvernoNamespace()))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
desired, err := build(caData)
|
desired, err := build(c.loadConfig(), caData)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -412,6 +413,7 @@ func (c *controller) reconcileMutatingWebhookConfiguration(ctx context.Context,
|
||||||
}
|
}
|
||||||
_, err = controllerutils.Update(ctx, observed, c.mwcClient, func(w *admissionregistrationv1.MutatingWebhookConfiguration) error {
|
_, err = controllerutils.Update(ctx, observed, c.mwcClient, func(w *admissionregistrationv1.MutatingWebhookConfiguration) error {
|
||||||
w.Labels = desired.Labels
|
w.Labels = desired.Labels
|
||||||
|
w.Annotations = desired.Annotations
|
||||||
w.OwnerReferences = desired.OwnerReferences
|
w.OwnerReferences = desired.OwnerReferences
|
||||||
w.Webhooks = desired.Webhooks
|
w.Webhooks = desired.Webhooks
|
||||||
return nil
|
return nil
|
||||||
|
@ -516,9 +518,9 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *controller) buildVerifyMutatingWebhookConfiguration(caBundle []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error) {
|
func (c *controller) buildVerifyMutatingWebhookConfiguration(cfg config.Configuration, caBundle []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error) {
|
||||||
return &admissionregistrationv1.MutatingWebhookConfiguration{
|
return &admissionregistrationv1.MutatingWebhookConfiguration{
|
||||||
ObjectMeta: objectMeta(config.VerifyMutatingWebhookConfigurationName, c.buildOwner()...),
|
ObjectMeta: objectMeta(config.VerifyMutatingWebhookConfigurationName, cfg.GetWebhookAnnotations(), c.buildOwner()...),
|
||||||
Webhooks: []admissionregistrationv1.MutatingWebhook{{
|
Webhooks: []admissionregistrationv1.MutatingWebhook{{
|
||||||
Name: config.VerifyMutatingWebhookName,
|
Name: config.VerifyMutatingWebhookName,
|
||||||
ClientConfig: c.clientConfig(caBundle, config.VerifyMutatingWebhookServicePath),
|
ClientConfig: c.clientConfig(caBundle, config.VerifyMutatingWebhookServicePath),
|
||||||
|
@ -542,9 +544,9 @@ func (c *controller) buildVerifyMutatingWebhookConfiguration(caBundle []byte) (*
|
||||||
nil
|
nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *controller) buildPolicyMutatingWebhookConfiguration(caBundle []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error) {
|
func (c *controller) buildPolicyMutatingWebhookConfiguration(cfg config.Configuration, caBundle []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error) {
|
||||||
return &admissionregistrationv1.MutatingWebhookConfiguration{
|
return &admissionregistrationv1.MutatingWebhookConfiguration{
|
||||||
ObjectMeta: objectMeta(config.PolicyMutatingWebhookConfigurationName, c.buildOwner()...),
|
ObjectMeta: objectMeta(config.PolicyMutatingWebhookConfigurationName, cfg.GetWebhookAnnotations(), c.buildOwner()...),
|
||||||
Webhooks: []admissionregistrationv1.MutatingWebhook{{
|
Webhooks: []admissionregistrationv1.MutatingWebhook{{
|
||||||
Name: config.PolicyMutatingWebhookName,
|
Name: config.PolicyMutatingWebhookName,
|
||||||
ClientConfig: c.clientConfig(caBundle, config.PolicyMutatingWebhookServicePath),
|
ClientConfig: c.clientConfig(caBundle, config.PolicyMutatingWebhookServicePath),
|
||||||
|
@ -564,9 +566,9 @@ func (c *controller) buildPolicyMutatingWebhookConfiguration(caBundle []byte) (*
|
||||||
nil
|
nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *controller) buildPolicyValidatingWebhookConfiguration(caBundle []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
|
func (c *controller) buildPolicyValidatingWebhookConfiguration(cfg config.Configuration, caBundle []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
|
||||||
return &admissionregistrationv1.ValidatingWebhookConfiguration{
|
return &admissionregistrationv1.ValidatingWebhookConfiguration{
|
||||||
ObjectMeta: objectMeta(config.PolicyValidatingWebhookConfigurationName, c.buildOwner()...),
|
ObjectMeta: objectMeta(config.PolicyValidatingWebhookConfigurationName, cfg.GetWebhookAnnotations(), c.buildOwner()...),
|
||||||
Webhooks: []admissionregistrationv1.ValidatingWebhook{{
|
Webhooks: []admissionregistrationv1.ValidatingWebhook{{
|
||||||
Name: config.PolicyValidatingWebhookName,
|
Name: config.PolicyValidatingWebhookName,
|
||||||
ClientConfig: c.clientConfig(caBundle, config.PolicyValidatingWebhookServicePath),
|
ClientConfig: c.clientConfig(caBundle, config.PolicyValidatingWebhookServicePath),
|
||||||
|
@ -585,9 +587,9 @@ func (c *controller) buildPolicyValidatingWebhookConfiguration(caBundle []byte)
|
||||||
nil
|
nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *controller) buildDefaultResourceMutatingWebhookConfiguration(caBundle []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error) {
|
func (c *controller) buildDefaultResourceMutatingWebhookConfiguration(cfg config.Configuration, caBundle []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error) {
|
||||||
return &admissionregistrationv1.MutatingWebhookConfiguration{
|
return &admissionregistrationv1.MutatingWebhookConfiguration{
|
||||||
ObjectMeta: objectMeta(config.MutatingWebhookConfigurationName, c.buildOwner()...),
|
ObjectMeta: objectMeta(config.MutatingWebhookConfigurationName, cfg.GetWebhookAnnotations(), c.buildOwner()...),
|
||||||
Webhooks: []admissionregistrationv1.MutatingWebhook{{
|
Webhooks: []admissionregistrationv1.MutatingWebhook{{
|
||||||
Name: config.MutatingWebhookName + "-ignore",
|
Name: config.MutatingWebhookName + "-ignore",
|
||||||
ClientConfig: c.clientConfig(caBundle, config.MutatingWebhookServicePath+"/ignore"),
|
ClientConfig: c.clientConfig(caBundle, config.MutatingWebhookServicePath+"/ignore"),
|
||||||
|
@ -612,9 +614,9 @@ func (c *controller) buildDefaultResourceMutatingWebhookConfiguration(caBundle [
|
||||||
nil
|
nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *controller) buildResourceMutatingWebhookConfiguration(caBundle []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error) {
|
func (c *controller) buildResourceMutatingWebhookConfiguration(cfg config.Configuration, caBundle []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error) {
|
||||||
result := admissionregistrationv1.MutatingWebhookConfiguration{
|
result := admissionregistrationv1.MutatingWebhookConfiguration{
|
||||||
ObjectMeta: objectMeta(config.MutatingWebhookConfigurationName, c.buildOwner()...),
|
ObjectMeta: objectMeta(config.MutatingWebhookConfigurationName, cfg.GetWebhookAnnotations(), c.buildOwner()...),
|
||||||
Webhooks: []admissionregistrationv1.MutatingWebhook{},
|
Webhooks: []admissionregistrationv1.MutatingWebhook{},
|
||||||
}
|
}
|
||||||
if c.watchdogCheck() {
|
if c.watchdogCheck() {
|
||||||
|
@ -641,7 +643,6 @@ func (c *controller) buildResourceMutatingWebhookConfiguration(caBundle []byte)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
cfg := c.loadConfig()
|
|
||||||
webhookCfg := config.WebhookConfig{}
|
webhookCfg := config.WebhookConfig{}
|
||||||
webhookCfgs := cfg.GetWebhooks()
|
webhookCfgs := cfg.GetWebhooks()
|
||||||
if len(webhookCfgs) > 0 {
|
if len(webhookCfgs) > 0 {
|
||||||
|
@ -687,13 +688,13 @@ func (c *controller) buildResourceMutatingWebhookConfiguration(caBundle []byte)
|
||||||
return &result, nil
|
return &result, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *controller) buildDefaultResourceValidatingWebhookConfiguration(caBundle []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
|
func (c *controller) buildDefaultResourceValidatingWebhookConfiguration(cfg config.Configuration, caBundle []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
|
||||||
sideEffects := &none
|
sideEffects := &none
|
||||||
if c.admissionReports {
|
if c.admissionReports {
|
||||||
sideEffects = &noneOnDryRun
|
sideEffects = &noneOnDryRun
|
||||||
}
|
}
|
||||||
return &admissionregistrationv1.ValidatingWebhookConfiguration{
|
return &admissionregistrationv1.ValidatingWebhookConfiguration{
|
||||||
ObjectMeta: objectMeta(config.ValidatingWebhookConfigurationName, c.buildOwner()...),
|
ObjectMeta: objectMeta(config.ValidatingWebhookConfigurationName, cfg.GetWebhookAnnotations(), c.buildOwner()...),
|
||||||
Webhooks: []admissionregistrationv1.ValidatingWebhook{{
|
Webhooks: []admissionregistrationv1.ValidatingWebhook{{
|
||||||
Name: config.ValidatingWebhookName + "-ignore",
|
Name: config.ValidatingWebhookName + "-ignore",
|
||||||
ClientConfig: c.clientConfig(caBundle, config.ValidatingWebhookServicePath+"/ignore"),
|
ClientConfig: c.clientConfig(caBundle, config.ValidatingWebhookServicePath+"/ignore"),
|
||||||
|
@ -719,9 +720,9 @@ func (c *controller) buildDefaultResourceValidatingWebhookConfiguration(caBundle
|
||||||
nil
|
nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *controller) buildResourceValidatingWebhookConfiguration(caBundle []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
|
func (c *controller) buildResourceValidatingWebhookConfiguration(cfg config.Configuration, caBundle []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
|
||||||
result := admissionregistrationv1.ValidatingWebhookConfiguration{
|
result := admissionregistrationv1.ValidatingWebhookConfiguration{
|
||||||
ObjectMeta: objectMeta(config.ValidatingWebhookConfigurationName, c.buildOwner()...),
|
ObjectMeta: objectMeta(config.ValidatingWebhookConfigurationName, cfg.GetWebhookAnnotations(), c.buildOwner()...),
|
||||||
Webhooks: []admissionregistrationv1.ValidatingWebhook{},
|
Webhooks: []admissionregistrationv1.ValidatingWebhook{},
|
||||||
}
|
}
|
||||||
if c.watchdogCheck() {
|
if c.watchdogCheck() {
|
||||||
|
@ -748,7 +749,6 @@ func (c *controller) buildResourceValidatingWebhookConfiguration(caBundle []byte
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
cfg := c.loadConfig()
|
|
||||||
webhookCfg := config.WebhookConfig{}
|
webhookCfg := config.WebhookConfig{}
|
||||||
webhookCfgs := cfg.GetWebhooks()
|
webhookCfgs := cfg.GetWebhooks()
|
||||||
if len(webhookCfgs) > 0 {
|
if len(webhookCfgs) > 0 {
|
||||||
|
|
|
@ -98,12 +98,13 @@ func hasWildcard(policies ...kyvernov1.PolicyInterface) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
func objectMeta(name string, owner ...metav1.OwnerReference) metav1.ObjectMeta {
|
func objectMeta(name string, annotations map[string]string, owner ...metav1.OwnerReference) metav1.ObjectMeta {
|
||||||
return metav1.ObjectMeta{
|
return metav1.ObjectMeta{
|
||||||
Name: name,
|
Name: name,
|
||||||
Labels: map[string]string{
|
Labels: map[string]string{
|
||||||
utils.ManagedByLabel: kyvernov1.ValueKyvernoApp,
|
utils.ManagedByLabel: kyvernov1.ValueKyvernoApp,
|
||||||
},
|
},
|
||||||
|
Annotations: annotations,
|
||||||
OwnerReferences: owner,
|
OwnerReferences: owner,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Add table
Reference in a new issue