mirror of
https://github.com/kyverno/kyverno.git
synced 2025-01-20 18:52:16 +00:00
b385693509
* feat: add interface for image verify cache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add basic client for cache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add ttl to client Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add flags and flag setup Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: added a default image verify cache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add propogation of cache to image verifier Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add useCache to image verification types Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * bug: add ivcache to image verifier Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add logger to cache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * typo: DisabledImageVerfiyCache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * typo: DisabledImageVerfiyCache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * Update cmd/internal/flag.go Signed-off-by: shuting <shutting06@gmail.com> * feat: add use cache to v2beta1 crd Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * bug: change public attribute TTL to private Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: replace nil in test with disabled cache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: convert ttl time to time.Duration Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: update opts to use time.Duration Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat:add policy version and remove delete functions by adding policy version, old entries will automatically become outdated and we will not have to remove them manually Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: remove clear and update get and set to take interface as input Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * style: fix lint issue Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Signed-off-by: shuting <shutting06@gmail.com> Co-authored-by: shuting <shutting06@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
104 lines
3.9 KiB
Go
104 lines
3.9 KiB
Go
package internal
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"time"
|
|
|
|
"github.com/go-logr/logr"
|
|
"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
|
|
kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions"
|
|
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
|
"github.com/kyverno/kyverno/pkg/config"
|
|
"github.com/kyverno/kyverno/pkg/engine"
|
|
"github.com/kyverno/kyverno/pkg/engine/adapters"
|
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
|
"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
|
|
"github.com/kyverno/kyverno/pkg/engine/factories"
|
|
"github.com/kyverno/kyverno/pkg/engine/jmespath"
|
|
"github.com/kyverno/kyverno/pkg/imageverifycache"
|
|
"github.com/kyverno/kyverno/pkg/registryclient"
|
|
"k8s.io/client-go/kubernetes"
|
|
corev1listers "k8s.io/client-go/listers/core/v1"
|
|
)
|
|
|
|
func NewEngine(
|
|
ctx context.Context,
|
|
logger logr.Logger,
|
|
configuration config.Configuration,
|
|
metricsConfiguration config.MetricsConfiguration,
|
|
jp jmespath.Interface,
|
|
client dclient.Interface,
|
|
rclient registryclient.Client,
|
|
ivCache imageverifycache.Client,
|
|
kubeClient kubernetes.Interface,
|
|
kyvernoClient versioned.Interface,
|
|
secretLister corev1listers.SecretNamespaceLister,
|
|
) engineapi.Engine {
|
|
configMapResolver := NewConfigMapResolver(ctx, logger, kubeClient, 15*time.Minute)
|
|
exceptionsSelector := NewExceptionSelector(ctx, logger, kyvernoClient, 15*time.Minute)
|
|
logger = logger.WithName("engine")
|
|
logger.Info("setup engine...")
|
|
return engine.NewEngine(
|
|
configuration,
|
|
metricsConfiguration,
|
|
jp,
|
|
adapters.Client(client),
|
|
factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), secretLister),
|
|
ivCache,
|
|
factories.DefaultContextLoaderFactory(configMapResolver),
|
|
exceptionsSelector,
|
|
imageSignatureRepository,
|
|
)
|
|
}
|
|
|
|
func NewExceptionSelector(
|
|
ctx context.Context,
|
|
logger logr.Logger,
|
|
kyvernoClient versioned.Interface,
|
|
resyncPeriod time.Duration,
|
|
) engineapi.PolicyExceptionSelector {
|
|
logger = logger.WithName("exception-selector").WithValues("enablePolicyException", enablePolicyException, "exceptionNamespace", exceptionNamespace)
|
|
logger.Info("setup exception selector...")
|
|
var exceptionsLister engineapi.PolicyExceptionSelector
|
|
if enablePolicyException {
|
|
factory := kyvernoinformer.NewSharedInformerFactory(kyvernoClient, resyncPeriod)
|
|
lister := factory.Kyverno().V2alpha1().PolicyExceptions().Lister()
|
|
if exceptionNamespace != "" {
|
|
exceptionsLister = lister.PolicyExceptions(exceptionNamespace)
|
|
} else {
|
|
exceptionsLister = lister
|
|
}
|
|
// start informers and wait for cache sync
|
|
if !StartInformersAndWaitForCacheSync(ctx, logger, factory) {
|
|
checkError(logger, errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
|
|
}
|
|
}
|
|
return exceptionsLister
|
|
}
|
|
|
|
func NewConfigMapResolver(
|
|
ctx context.Context,
|
|
logger logr.Logger,
|
|
kubeClient kubernetes.Interface,
|
|
resyncPeriod time.Duration,
|
|
) engineapi.ConfigmapResolver {
|
|
logger = logger.WithName("configmap-resolver").WithValues("enableConfigMapCaching", enableConfigMapCaching)
|
|
logger.Info("setup config map resolver...")
|
|
clientBasedResolver, err := resolvers.NewClientBasedResolver(kubeClient)
|
|
checkError(logger, err, "failed to create client based resolver")
|
|
if !enableConfigMapCaching {
|
|
return clientBasedResolver
|
|
}
|
|
factory, err := resolvers.GetCacheInformerFactory(kubeClient, resyncPeriod)
|
|
checkError(logger, err, "failed to create cache informer factory")
|
|
informerBasedResolver, err := resolvers.NewInformerBasedResolver(factory.Core().V1().ConfigMaps().Lister())
|
|
checkError(logger, err, "failed to create informer based resolver")
|
|
configMapResolver, err := engineapi.NewNamespacedResourceResolver(informerBasedResolver, clientBasedResolver)
|
|
checkError(logger, err, "failed to create config map resolver")
|
|
// start informers and wait for cache sync
|
|
if !StartInformersAndWaitForCacheSync(ctx, logger, factory) {
|
|
checkError(logger, errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
|
|
}
|
|
return configMapResolver
|
|
}
|