mirror of
synced 2025-03-09 01:16:55 +00:00
* Make server ports configurable, resolves #7279 Signed-off-by: Dirk Pahl <dirk.pahl@deutschebahn.com> * Make server ports configurable, resolves #7279 Signed-off-by: Dirk Pahl <dirk.pahl@deutschebahn.com> * Switch to flags instead of env vars Signed-off-by: Dirk Pahl <dirk.pahl@deutschebahn.com> * Could not use internal package in webhooks pkg Signed-off-by: Dirk Pahl <dirk.pahl@deutschebahn.com> * Add helm chart changes Signed-off-by: Dirk Pahl <dirk.pahl@deutschebahn.com> * make codegen-docs-all Signed-off-by: Dirk Pahl <dirk.pahl@deutschebahn.com> * make codegen-manifest-all Signed-off-by: Dirk Pahl <dirk.pahl@deutschebahn.com> --------- Signed-off-by: Dirk Pahl <dirk.pahl@deutschebahn.com> Co-authored-by: Dirk Pahl <dirk.pahl@deutschebahn.com> Co-authored-by: shuting <shuting@nirmata.com>
255 lines
8.9 KiB
255 lines
8.9 KiB
package internal
import (
var (
// logging
loggingFormat string
// profiling
profilingEnabled bool
profilingAddress string
profilingPort string
// tracing
tracingEnabled bool
tracingAddress string
tracingPort string
tracingCreds string
// metrics
otel string
otelCollector string
metricsPort string
transportCreds string
disableMetricsExport bool
// kubeconfig
kubeconfig string
clientRateLimitQPS float64
clientRateLimitBurst int
// engine
enablePolicyException bool
exceptionNamespace string
enableConfigMapCaching bool
// cosign
imageSignatureRepository string
enableTUF bool
tufMirror string
tufRoot string
// registry client
imagePullSecrets string
allowInsecureRegistry bool
registryCredentialHelpers string
// leader election
leaderElectionRetryPeriod time.Duration
// cleanupServerPort is the kyverno cleanup server port
cleanupServerPort string
// image verify cache
imageVerifyCacheEnabled bool
imageVerifyCacheTTLDuration time.Duration
imageVerifyCacheMaxSize int64
func initLoggingFlags() {
flag.StringVar(&loggingFormat, "loggingFormat", logging.TextFormat, "This determines the output format of the logger.")
checkErr(flag.Set("v", "2"), "failed to init flags")
func initProfilingFlags() {
flag.BoolVar(&profilingEnabled, "profile", false, "Set this flag to 'true', to enable profiling.")
flag.StringVar(&profilingPort, "profilePort", "6060", "Profiling server port, defaults to '6060'.")
flag.StringVar(&profilingAddress, "profileAddress", "", "Profiling server address, defaults to ''.")
func initTracingFlags() {
flag.BoolVar(&tracingEnabled, "enableTracing", false, "Set this flag to 'true', to enable tracing.")
flag.StringVar(&tracingPort, "tracingPort", "4317", "Tracing receiver port, defaults to '4317'.")
flag.StringVar(&tracingAddress, "tracingAddress", "", "Tracing receiver address, defaults to ''.")
flag.StringVar(&tracingCreds, "tracingCreds", "", "Set this flag to the CA secret containing the certificate which is used by our Opentelemetry Tracing Client. If empty string is set, means an insecure connection will be used")
func initMetricsFlags() {
flag.StringVar(&otel, "otelConfig", "prometheus", "Set this flag to 'grpc', to enable exporting metrics to an Opentelemetry Collector. The default collector is set to \"prometheus\"")
flag.StringVar(&otelCollector, "otelCollector", "opentelemetrycollector.kyverno.svc.cluster.local", "Set this flag to the OpenTelemetry Collector Service Address. Kyverno will try to connect to this on the metrics port.")
flag.StringVar(&transportCreds, "transportCreds", "", "Set this flag to the CA secret containing the certificate which is used by our Opentelemetry Metrics Client. If empty string is set, means an insecure connection will be used")
flag.StringVar(&metricsPort, "metricsPort", "8000", "Expose prometheus metrics at the given port, default to 8000.")
flag.BoolVar(&disableMetricsExport, "disableMetrics", false, "Set this flag to 'true' to disable metrics.")
func initKubeconfigFlags(qps float64, burst int) {
flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
flag.Float64Var(&clientRateLimitQPS, "clientRateLimitQPS", qps, "Configure the maximum QPS to the Kubernetes API server from Kyverno. Uses the client default if zero.")
flag.IntVar(&clientRateLimitBurst, "clientRateLimitBurst", burst, "Configure the maximum burst for throttle. Uses the client default if zero.")
func initPolicyExceptionsFlags() {
flag.StringVar(&exceptionNamespace, "exceptionNamespace", "", "Configure the namespace to accept PolicyExceptions.")
flag.BoolVar(&enablePolicyException, "enablePolicyException", true, "Enable PolicyException feature.")
func initConfigMapCachingFlags() {
flag.BoolVar(&enableConfigMapCaching, "enableConfigMapCaching", true, "Enable config maps caching.")
func initDeferredLoadingFlags() {
flag.Func(toggle.EnableDeferredLoadingFlagName, toggle.EnableDeferredLoadingDescription, toggle.EnableDeferredLoading.Parse)
func initCosignFlags() {
flag.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "(DEPRECATED, will be removed in 1.12) Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.")
flag.BoolVar(&enableTUF, "enableTuf", false, "enable tuf for private sigstore deployments")
flag.StringVar(&tufMirror, "tufMirror", tuf.DefaultRemoteRoot, "Alternate TUF mirror for sigstore. If left blank, public sigstore one is used for cosign verification.")
flag.StringVar(&tufRoot, "tufRoot", "", "Alternate TUF root.json for sigstore. If left blank, public sigstore one is used for cosign verification.")
func initRegistryClientFlags() {
flag.BoolVar(&allowInsecureRegistry, "allowInsecureRegistry", false, "Whether to allow insecure connections to registries. Don't use this for anything but testing.")
flag.StringVar(&imagePullSecrets, "imagePullSecrets", "", "Secret resource names for image registry access credentials.")
flag.StringVar(®istryCredentialHelpers, "registryCredentialHelpers", "", "Credential helpers to enable (default,google,amazon,azure,github). No helpers are added when this flag is empty.")
func initImageVerifyCacheFlags() {
flag.BoolVar(&imageVerifyCacheEnabled, "imageVerifyCacheEnabled", true, "Enable a TTL cache for verified images.")
flag.Int64Var(&imageVerifyCacheMaxSize, "imageVerifyCacheMaxSize", 1000, "Maximum number of keys that can be stored in the TTL cache. Keys are a combination of policy elements along with the image reference. Default is 1000. 0 sets the value to default.")
flag.DurationVar(&imageVerifyCacheTTLDuration, "imageVerifyCacheTTLDuration", 60*time.Minute, "Maximum TTL value for a cache expressed as duration. Default is 60m. 0 sets the value to default.")
func initLeaderElectionFlags() {
flag.DurationVar(&leaderElectionRetryPeriod, "leaderElectionRetryPeriod", leaderelection.DefaultRetryPeriod, "Configure leader election retry period.")
func initCleanupFlags() {
flag.StringVar(&cleanupServerPort, "cleanupServerPort", "9443", "kyverno cleanup server port, defaults to '9443'.")
type options struct {
clientRateLimitQPS float64
clientRateLimitBurst int
func newOptions() options {
return options{
clientRateLimitQPS: 20,
clientRateLimitBurst: 50,
type Option = func(*options)
func WithDefaultQps(qps float64) Option {
return func(o *options) {
o.clientRateLimitQPS = qps
func WithDefaultBurst(burst int) Option {
return func(o *options) {
o.clientRateLimitBurst = burst
func initFlags(config Configuration, opts ...Option) {
options := newOptions()
for _, o := range opts {
if o != nil {
// logging
// profiling
if config.UsesProfiling() {
// tracing
if config.UsesTracing() {
// metrics
if config.UsesMetrics() {
// kubeconfig
if config.UsesKubeconfig() {
initKubeconfigFlags(options.clientRateLimitQPS, options.clientRateLimitBurst)
// policy exceptions
if config.UsesPolicyExceptions() {
// config map caching
if config.UsesConfigMapCaching() {
// deferred loading
if config.UsesDeferredLoading() {
// cosign
if config.UsesCosign() {
// registry client
if config.UsesRegistryClient() {
// image verify cache
if config.UsesImageVerifyCache() {
// leader election
if config.UsesLeaderElection() {
for _, flagset := range config.FlagSets() {
flagset.VisitAll(func(f *flag.Flag) {
flag.CommandLine.Var(f.Value, f.Name, f.Usage)
func showWarnings(config Configuration, logger logr.Logger) {
if config.UsesCosign() {
if imageSignatureRepository != "" {
logger.Info("Warning: imageSignatureRepository is deprecated and will be removed in 1.12. Use per rule configuration `verifyImages.Repository` instead.")
func ParseFlags(config Configuration, opts ...Option) {
initFlags(config, opts...)
func ExceptionNamespace() string {
return exceptionNamespace
func PolicyExceptionEnabled() bool {
return enablePolicyException
func LeaderElectionRetryPeriod() time.Duration {
return leaderElectionRetryPeriod
func CleanupServerPort() string {
return cleanupServerPort
func printFlagSettings(logger logr.Logger) {
logger = logger.WithName("flag")
flag.VisitAll(func(f *flag.Flag) {
logger.V(2).Info("", f.Name, f.Value)