mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
6d8ae16afa
* updated flags Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added ristretto_cache impl Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added bufferSize Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * small nits Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * made cache as private member Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * made cache as private member Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added logger.withValues Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added verify image cache Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * small nits Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added cache tests Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * fixed lint issue Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added chaged policy test Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * cache time should be entered in minutes Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * removed cache.wait() Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * small nits Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * removed client.go logs and added in imageVerifier Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added level to the logs Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added notary image cache verification Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * replace intVar by flag.DurationVar() Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * removed lock from cache clinet Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * updated cosign tests Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added execution latencies comparision Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added assert.Error() Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added error assertion util Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added error log Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * Update pkg/engine/internal/imageverifier.go Signed-off-by: shuting <shutting06@gmail.com> * lint fixes Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * removed logs from unit tests Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added ristretto_cache impl Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * removed cache.wait() Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * small nits Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added asssertions in tests Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * fixed conflicts Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * lint fix Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * renamed variabls Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> --------- Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> Signed-off-by: shuting <shutting06@gmail.com> Co-authored-by: shuting <shutting06@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
235 lines
7.9 KiB
Go
235 lines
7.9 KiB
Go
package internal
|
|
|
|
import (
|
|
"flag"
|
|
"time"
|
|
|
|
"github.com/go-logr/logr"
|
|
"github.com/kyverno/kyverno/pkg/leaderelection"
|
|
"github.com/kyverno/kyverno/pkg/logging"
|
|
"github.com/kyverno/kyverno/pkg/toggle"
|
|
)
|
|
|
|
var (
|
|
// logging
|
|
loggingFormat string
|
|
// profiling
|
|
profilingEnabled bool
|
|
profilingAddress string
|
|
profilingPort string
|
|
// tracing
|
|
tracingEnabled bool
|
|
tracingAddress string
|
|
tracingPort string
|
|
tracingCreds string
|
|
// metrics
|
|
otel string
|
|
otelCollector string
|
|
metricsPort string
|
|
transportCreds string
|
|
disableMetricsExport bool
|
|
// kubeconfig
|
|
kubeconfig string
|
|
clientRateLimitQPS float64
|
|
clientRateLimitBurst int
|
|
// engine
|
|
enablePolicyException bool
|
|
exceptionNamespace string
|
|
enableConfigMapCaching bool
|
|
// cosign
|
|
imageSignatureRepository string
|
|
// registry client
|
|
imagePullSecrets string
|
|
allowInsecureRegistry bool
|
|
registryCredentialHelpers string
|
|
// leader election
|
|
leaderElectionRetryPeriod time.Duration
|
|
// image verify cache
|
|
imageVerifyCacheEnabled bool
|
|
imageVerifyCacheTTLDuration time.Duration
|
|
imageVerifyCacheMaxSize int64
|
|
)
|
|
|
|
func initLoggingFlags() {
|
|
logging.InitFlags(nil)
|
|
flag.StringVar(&loggingFormat, "loggingFormat", logging.TextFormat, "This determines the output format of the logger.")
|
|
checkErr(flag.Set("v", "2"), "failed to init flags")
|
|
}
|
|
|
|
func initProfilingFlags() {
|
|
flag.BoolVar(&profilingEnabled, "profile", false, "Set this flag to 'true', to enable profiling.")
|
|
flag.StringVar(&profilingPort, "profilePort", "6060", "Profiling server port, defaults to '6060'.")
|
|
flag.StringVar(&profilingAddress, "profileAddress", "", "Profiling server address, defaults to ''.")
|
|
}
|
|
|
|
func initTracingFlags() {
|
|
flag.BoolVar(&tracingEnabled, "enableTracing", false, "Set this flag to 'true', to enable tracing.")
|
|
flag.StringVar(&tracingPort, "tracingPort", "4317", "Tracing receiver port, defaults to '4317'.")
|
|
flag.StringVar(&tracingAddress, "tracingAddress", "", "Tracing receiver address, defaults to ''.")
|
|
flag.StringVar(&tracingCreds, "tracingCreds", "", "Set this flag to the CA secret containing the certificate which is used by our Opentelemetry Tracing Client. If empty string is set, means an insecure connection will be used")
|
|
}
|
|
|
|
func initMetricsFlags() {
|
|
flag.StringVar(&otel, "otelConfig", "prometheus", "Set this flag to 'grpc', to enable exporting metrics to an Opentelemetry Collector. The default collector is set to \"prometheus\"")
|
|
flag.StringVar(&otelCollector, "otelCollector", "opentelemetrycollector.kyverno.svc.cluster.local", "Set this flag to the OpenTelemetry Collector Service Address. Kyverno will try to connect to this on the metrics port.")
|
|
flag.StringVar(&transportCreds, "transportCreds", "", "Set this flag to the CA secret containing the certificate which is used by our Opentelemetry Metrics Client. If empty string is set, means an insecure connection will be used")
|
|
flag.StringVar(&metricsPort, "metricsPort", "8000", "Expose prometheus metrics at the given port, default to 8000.")
|
|
flag.BoolVar(&disableMetricsExport, "disableMetrics", false, "Set this flag to 'true' to disable metrics.")
|
|
}
|
|
|
|
func initKubeconfigFlags(qps float64, burst int) {
|
|
flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
|
|
flag.Float64Var(&clientRateLimitQPS, "clientRateLimitQPS", qps, "Configure the maximum QPS to the Kubernetes API server from Kyverno. Uses the client default if zero.")
|
|
flag.IntVar(&clientRateLimitBurst, "clientRateLimitBurst", burst, "Configure the maximum burst for throttle. Uses the client default if zero.")
|
|
}
|
|
|
|
func initPolicyExceptionsFlags() {
|
|
flag.StringVar(&exceptionNamespace, "exceptionNamespace", "", "Configure the namespace to accept PolicyExceptions.")
|
|
flag.BoolVar(&enablePolicyException, "enablePolicyException", false, "Enable PolicyException feature.")
|
|
}
|
|
|
|
func initConfigMapCachingFlags() {
|
|
flag.BoolVar(&enableConfigMapCaching, "enableConfigMapCaching", true, "Enable config maps caching.")
|
|
}
|
|
|
|
func initDeferredLoadingFlags() {
|
|
flag.Func(toggle.EnableDeferredLoadingFlagName, toggle.EnableDeferredLoadingDescription, toggle.EnableDeferredLoading.Parse)
|
|
}
|
|
|
|
func initCosignFlags() {
|
|
flag.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "(DEPRECATED, will be removed in 1.12) Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.")
|
|
}
|
|
|
|
func initRegistryClientFlags() {
|
|
flag.BoolVar(&allowInsecureRegistry, "allowInsecureRegistry", false, "Whether to allow insecure connections to registries. Don't use this for anything but testing.")
|
|
flag.StringVar(&imagePullSecrets, "imagePullSecrets", "", "Secret resource names for image registry access credentials.")
|
|
flag.StringVar(®istryCredentialHelpers, "registryCredentialHelpers", "", "Credential helpers to enable (default,google,amazon,azure,github). No helpers are added when this flag is empty.")
|
|
}
|
|
|
|
func initImageVerifyCacheFlags() {
|
|
flag.BoolVar(&imageVerifyCacheEnabled, "imageVerifyCacheEnabled", true, "Whether to use a TTL cache for storing verified images.")
|
|
flag.Int64Var(&imageVerifyCacheMaxSize, "imageVerifyCacheMaxSize", 1000, "Max size limit for the TTL cache, 0 means default 1000 size limit.")
|
|
flag.DurationVar(&imageVerifyCacheTTLDuration, "imageVerifyCacheTTLDuration", 60*time.Minute, "Max TTL value for a cache, 0 means default 1 hour TTL.")
|
|
}
|
|
|
|
func initLeaderElectionFlags() {
|
|
flag.DurationVar(&leaderElectionRetryPeriod, "leaderElectionRetryPeriod", leaderelection.DefaultRetryPeriod, "Configure leader election retry period.")
|
|
}
|
|
|
|
type options struct {
|
|
clientRateLimitQPS float64
|
|
clientRateLimitBurst int
|
|
}
|
|
|
|
func newOptions() options {
|
|
return options{
|
|
clientRateLimitQPS: 20,
|
|
clientRateLimitBurst: 50,
|
|
}
|
|
}
|
|
|
|
type Option = func(*options)
|
|
|
|
func WithDefaultQps(qps float64) Option {
|
|
return func(o *options) {
|
|
o.clientRateLimitQPS = qps
|
|
}
|
|
}
|
|
|
|
func WithDefaultBurst(burst int) Option {
|
|
return func(o *options) {
|
|
o.clientRateLimitBurst = burst
|
|
}
|
|
}
|
|
|
|
func initFlags(config Configuration, opts ...Option) {
|
|
options := newOptions()
|
|
for _, o := range opts {
|
|
if o != nil {
|
|
o(&options)
|
|
}
|
|
}
|
|
// logging
|
|
initLoggingFlags()
|
|
// profiling
|
|
if config.UsesProfiling() {
|
|
initProfilingFlags()
|
|
}
|
|
// tracing
|
|
if config.UsesTracing() {
|
|
initTracingFlags()
|
|
}
|
|
// metrics
|
|
if config.UsesMetrics() {
|
|
initMetricsFlags()
|
|
}
|
|
// kubeconfig
|
|
if config.UsesKubeconfig() {
|
|
initKubeconfigFlags(options.clientRateLimitQPS, options.clientRateLimitBurst)
|
|
}
|
|
// policy exceptions
|
|
if config.UsesPolicyExceptions() {
|
|
initPolicyExceptionsFlags()
|
|
}
|
|
// config map caching
|
|
if config.UsesConfigMapCaching() {
|
|
initConfigMapCachingFlags()
|
|
}
|
|
// deferred loading
|
|
if config.UsesDeferredLoading() {
|
|
initDeferredLoadingFlags()
|
|
}
|
|
// cosign
|
|
if config.UsesCosign() {
|
|
initCosignFlags()
|
|
}
|
|
// registry client
|
|
if config.UsesRegistryClient() {
|
|
initRegistryClientFlags()
|
|
}
|
|
// image verify cache
|
|
if config.UsesImageVerifyCache() {
|
|
initImageVerifyCacheFlags()
|
|
}
|
|
// leader election
|
|
if config.UsesLeaderElection() {
|
|
initLeaderElectionFlags()
|
|
}
|
|
for _, flagset := range config.FlagSets() {
|
|
flagset.VisitAll(func(f *flag.Flag) {
|
|
flag.CommandLine.Var(f.Value, f.Name, f.Usage)
|
|
})
|
|
}
|
|
}
|
|
|
|
func showWarnings(config Configuration, logger logr.Logger) {
|
|
if config.UsesCosign() {
|
|
if imageSignatureRepository != "" {
|
|
logger.Info("Warning: imageSignatureRepository is deprecated and will be removed in 1.12. Use per rule configuration `verifyImages.Repository` instead.")
|
|
}
|
|
}
|
|
}
|
|
|
|
func ParseFlags(config Configuration, opts ...Option) {
|
|
initFlags(config, opts...)
|
|
flag.Parse()
|
|
}
|
|
|
|
func ExceptionNamespace() string {
|
|
return exceptionNamespace
|
|
}
|
|
|
|
func PolicyExceptionEnabled() bool {
|
|
return enablePolicyException
|
|
}
|
|
|
|
func LeaderElectionRetryPeriod() time.Duration {
|
|
return leaderElectionRetryPeriod
|
|
}
|
|
|
|
func printFlagSettings(logger logr.Logger) {
|
|
logger = logger.WithName("flag")
|
|
flag.VisitAll(func(f *flag.Flag) {
|
|
logger.V(2).Info("", f.Name, f.Value)
|
|
})
|
|
}
|