From f98d7d86b365bb237bac0a5d45ee3452df7758e3 Mon Sep 17 00:00:00 2001
From: Mariam Fahmy <mariam.fahmy@nirmata.com>
Date: Wed, 17 Apr 2024 18:01:00 +0800
Subject: [PATCH] refactor: add a function to check if VAPs are registered in
 the API server (#10014)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
---
 cmd/kyverno/main.go                                    |  8 ++++----
 cmd/reports-controller/main.go                         |  8 ++++----
 .../{permissions_checker.go => utils.go}               | 10 ++++++++++
 3 files changed, 18 insertions(+), 8 deletions(-)
 rename pkg/validatingadmissionpolicy/{permissions_checker.go => utils.go} (72%)

diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index 55674d5fa8..03fb81097e 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -37,6 +37,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/toggle"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
 	runtimeutils "github.com/kyverno/kyverno/pkg/utils/runtime"
+	"github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
 	"github.com/kyverno/kyverno/pkg/validation/exception"
 	"github.com/kyverno/kyverno/pkg/validation/globalcontext"
 	"github.com/kyverno/kyverno/pkg/webhooks"
@@ -48,7 +49,6 @@ import (
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	corev1 "k8s.io/api/core/v1"
 	apiserver "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 	kubeinformers "k8s.io/client-go/informers"
 	corev1informers "k8s.io/client-go/informers/core/v1"
 	"k8s.io/client-go/kubernetes"
@@ -314,9 +314,9 @@ func main() {
 	// check if validating admission policies are registered in the API server
 	generateValidatingAdmissionPolicy := toggle.FromContext(context.TODO()).GenerateValidatingAdmissionPolicy()
 	if generateValidatingAdmissionPolicy {
-		groupVersion := schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1alpha1"}
-		if _, err := setup.KyvernoDynamicClient.GetKubeClient().Discovery().ServerResourcesForGroupVersion(groupVersion.String()); err != nil {
-			setup.Logger.Error(err, "validating admission policies aren't supported.")
+		registered, err := validatingadmissionpolicy.IsValidatingAdmissionPolicyRegistered(setup.KubeClient)
+		if !registered {
+			setup.Logger.Error(err, "ValidatingAdmissionPolicies isn't supported in the API server")
 			os.Exit(1)
 		}
 	}
diff --git a/cmd/reports-controller/main.go b/cmd/reports-controller/main.go
index b7e0a36b26..f252cfc930 100644
--- a/cmd/reports-controller/main.go
+++ b/cmd/reports-controller/main.go
@@ -26,8 +26,8 @@ import (
 	"github.com/kyverno/kyverno/pkg/leaderelection"
 	"github.com/kyverno/kyverno/pkg/logging"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
+	"github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
 	apiserver "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 	kubeinformers "k8s.io/client-go/informers"
 	admissionregistrationv1alpha1informers "k8s.io/client-go/informers/admissionregistration/v1alpha1"
 	metadatainformers "k8s.io/client-go/metadata/metadatainformer"
@@ -253,9 +253,9 @@ func main() {
 	setup.Logger.Info("background scan interval", "duration", backgroundScanInterval.String())
 	// check if validating admission policies are registered in the API server
 	if validatingAdmissionPolicyReports {
-		groupVersion := schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1alpha1"}
-		if _, err := setup.KyvernoDynamicClient.GetKubeClient().Discovery().ServerResourcesForGroupVersion(groupVersion.String()); err != nil {
-			setup.Logger.Error(err, "validating admission policies aren't supported.")
+		registered, err := validatingadmissionpolicy.IsValidatingAdmissionPolicyRegistered(setup.KubeClient)
+		if !registered {
+			setup.Logger.Error(err, "ValidatingAdmissionPolicies isn't supported in the API server")
 			os.Exit(1)
 		}
 	}
diff --git a/pkg/validatingadmissionpolicy/permissions_checker.go b/pkg/validatingadmissionpolicy/utils.go
similarity index 72%
rename from pkg/validatingadmissionpolicy/permissions_checker.go
rename to pkg/validatingadmissionpolicy/utils.go
index 968c337207..62af06ac37 100644
--- a/pkg/validatingadmissionpolicy/permissions_checker.go
+++ b/pkg/validatingadmissionpolicy/utils.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/kyverno/kyverno/pkg/auth/checker"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/kubernetes"
 )
 
 func hasPermissions(resource schema.GroupVersionResource, s checker.AuthChecker) bool {
@@ -28,3 +29,12 @@ func HasValidatingAdmissionPolicyBindingPermission(s checker.AuthChecker) bool {
 	gvr := schema.GroupVersionResource{Group: "admissionregistration.k8s.io", Version: "v1alpha1", Resource: "validatingadmissionpolicybindings"}
 	return hasPermissions(gvr, s)
 }
+
+// IsValidatingAdmissionPolicyRegistered checks if ValidatingAdmissionPolicies are registered in the API Server
+func IsValidatingAdmissionPolicyRegistered(kubeClient kubernetes.Interface) (bool, error) {
+	groupVersion := schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1alpha1"}
+	if _, err := kubeClient.Discovery().ServerResourcesForGroupVersion(groupVersion.String()); err != nil {
+		return false, err
+	}
+	return true, nil
+}