Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: used typed admission request in ur #4022

Merged
merged 9 commits into from May 29, 2022
Merged

refactor: used typed admission request in ur #4022

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
adca13c
refactor: add policy event listener in ur controller (#4012)
eddycharly May 24, 2022
ba33307
Merge branch 'kyverno:main' into main
eddycharly May 24, 2022
f364249
Merge branch 'kyverno:main' into main
eddycharly May 25, 2022
836362e
refactor: used typed admission request in ur
eddycharly May 25, 2022
2f79cb6
refactor: used typed admission request in ur
eddycharly May 25, 2022
e424b36
merege
eddycharly May 25, 2022
5f26bd3
Merge branch 'main' into ur-typed-adm
eddycharly May 25, 2022
6e6ec74
Merge branch 'main' into ur-typed-adm
vyankyGH May 26, 2022
c1cd96f
Handle the error properly
realshuting May 29, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 2 additions & 1 deletion Makefile
View file
Open in desktop
Expand Up @@ -376,7 +376,8 @@ install-controller-gen: ## Install controller-gen
CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
cd $$CONTROLLER_GEN_TMP_DIR ;\
go mod init tmp ;\
go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_REQ_VERSION) ;\
go mod edit -replace=sigs.k8s.io/controller-tools@$(CONTROLLER_GEN_REQ_VERSION)=github.com/eddycharly/controller-tools@704af868d45a3a78448b9a6a2279c12ea96a621e ;\
realshuting marked this conversation as resolved.
Show resolved Hide resolved
go get sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_REQ_VERSION) ;\
rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
}
CONTROLLER_GEN=$(GOPATH)/bin/controller-gen
Expand Down
2 changes: 1 addition & 1 deletion api/kyverno/v1beta1/updaterequest_types.go
View file
Open in desktop
Expand Up @@ -117,7 +117,7 @@ type RequestInfo struct {
// AdmissionRequestInfoObject stores the admission request and operation details
type AdmissionRequestInfoObject struct {
// +optional
AdmissionRequest string `json:"admissionRequest,omitempty" yaml:"admissionRequest,omitempty"`
AdmissionRequest *admissionv1.AdmissionRequest `json:"admissionRequest,omitempty" yaml:"admissionRequest,omitempty"`
// +optional
Operation admissionv1.Operation `json:"operation,omitempty" yaml:"operation,omitempty"`
}
Expand Down
8 changes: 7 additions & 1 deletion api/kyverno/v1beta1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

170 changes: 121 additions & 49 deletions charts/kyverno/templates/crds.yaml
View file
Open in desktop
Expand Up @@ -1611,12 +1611,6 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
Expand Down Expand Up @@ -1883,12 +1877,6 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
Expand Down Expand Up @@ -2155,12 +2143,6 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
Expand Down Expand Up @@ -2336,12 +2318,6 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
Expand Down Expand Up @@ -3955,12 +3931,6 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
Expand Down Expand Up @@ -4227,12 +4197,6 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
Expand Down Expand Up @@ -4499,12 +4463,6 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
Expand Down Expand Up @@ -4577,7 +4535,127 @@ spec:
description: AdmissionRequestInfoObject stores the admission request and operation details
properties:
admissionRequest:
type: string
description: AdmissionRequest describes the admission.Attributes for the admission request.
properties:
dryRun:
description: DryRun indicates that modifications will definitely not be persisted for this request. Defaults to false.
type: boolean
kind:
description: Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
properties:
group:
type: string
kind:
type: string
version:
type: string
required:
- group
- kind
- version
type: object
name:
description: Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and rely on the server to generate the name. If that is the case, this field will contain an empty string.
type: string
namespace:
description: Namespace is the namespace associated with the request (if any).
type: string
object:
description: Object is the object from the incoming request.
type: object
x-kubernetes-preserve-unknown-fields: true
oldObject:
description: OldObject is the existing object. Only populated for DELETE and UPDATE requests.
type: object
x-kubernetes-preserve-unknown-fields: true
operation:
description: Operation is the operation being performed. This may be different than the operation requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
type: string
options:
description: Options is the operation option structure of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be different than the options the caller provided. e.g. for a patch request the performed Operation might be a CREATE, in which case the Options will a `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
type: object
x-kubernetes-preserve-unknown-fields: true
requestKind:
description: "RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). If this is specified and differs from the value in \"kind\", an equivalent match and conversion was performed. \n For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` (matching the rule the webhook registered for), and `requestKind: {group:\"apps\", version:\"v1beta1\", kind:\"Deployment\"}` (indicating the kind of the original API request). \n See documentation for the \"matchPolicy\" field in the webhook configuration type for more details."
properties:
group:
type: string
kind:
type: string
version:
type: string
required:
- group
- kind
- version
type: object
requestResource:
description: "RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). If this is specified and differs from the value in \"resource\", an equivalent match and conversion was performed. \n For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `resource: {group:\"apps\", version:\"v1\", resource:\"deployments\"}` (matching the resource the webhook registered for), and `requestResource: {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` (indicating the resource of the original API request). \n See documentation for the \"matchPolicy\" field in the webhook configuration type."
properties:
group:
type: string
resource:
type: string
version:
type: string
required:
- group
- resource
- version
type: object
requestSubResource:
description: RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. See documentation for the "matchPolicy" field in the webhook configuration type.
type: string
resource:
description: Resource is the fully-qualified resource being requested (for example, v1.pods)
properties:
group:
type: string
resource:
type: string
version:
type: string
required:
- group
- resource
- version
type: object
subResource:
description: SubResource is the subresource being requested, if any (for example, "status" or "scale")
type: string
uid:
description: UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are otherwise identical (parallel requests, requests when earlier requests did not modify etc) The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
type: string
userInfo:
description: UserInfo is information about the requesting user
properties:
extra:
additionalProperties:
description: ExtraValue masks the value so protobuf can generate
items:
type: string
type: array
description: Any additional information provided by the authenticator.
type: object
groups:
description: The names of groups this user is a part of.
items:
type: string
type: array
uid:
description: A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.
type: string
username:
description: The name that uniquely identifies this user among all active users.
type: string
type: object
required:
- kind
- operation
- resource
- uid
- userInfo
type: object
operation:
description: Operation is the type of resource operation being checked for admission control
type: string
Expand Down Expand Up @@ -4690,10 +4768,4 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
{{- end }}
14 changes: 13 additions & 1 deletion cmd/initContainer/main.go
View file
Open in desktop
Expand Up @@ -5,6 +5,7 @@ package main

import (
"context"
"encoding/json"
"flag"
"os"
"sync"
Expand All @@ -20,6 +21,7 @@ import (
"github.com/kyverno/kyverno/pkg/signal"
"github.com/kyverno/kyverno/pkg/tls"
"github.com/kyverno/kyverno/pkg/utils"
admissionv1 "k8s.io/api/admission/v1"
coordinationv1 "k8s.io/api/coordination/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand Down Expand Up @@ -445,6 +447,16 @@ func convertGR(pclient kyvernoclient.Interface) error {
}
for _, gr := range grs.Items {
cp := gr.DeepCopy()
var request *admissionv1.AdmissionRequest
if cp.Spec.Context.AdmissionRequestInfo.AdmissionRequest != "" {
var r admissionv1.AdmissionRequest
err := json.Unmarshal([]byte(cp.Spec.Context.AdmissionRequestInfo.AdmissionRequest), &r)
if err != nil {
logger.Error(err, "failed to unmarshal admission request")
errors = append(errors, err)
continue
}
}
ur := &kyvernov1beta1.UpdateRequest{
ObjectMeta: metav1.ObjectMeta{
GenerateName: "ur-",
Expand All @@ -462,7 +474,7 @@ func convertGR(pclient kyvernoclient.Interface) error {
AdmissionUserInfo: cp.Spec.Context.UserRequestInfo.AdmissionUserInfo,
},
AdmissionRequestInfo: kyvernov1beta1.AdmissionRequestInfoObject{
AdmissionRequest: cp.Spec.Context.AdmissionRequestInfo.AdmissionRequest,
AdmissionRequest: request,
Operation: cp.Spec.Context.AdmissionRequestInfo.Operation,
},
},
Expand Down
6 changes: 0 additions & 6 deletions config/crds/kyverno.io_clusterpolicies.yaml
View file
Open in desktop
Expand Up @@ -2561,9 +2561,3 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
6 changes: 0 additions & 6 deletions config/crds/kyverno.io_clusterreportchangerequests.yaml
View file
Open in desktop
Expand Up @@ -354,9 +354,3 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
6 changes: 0 additions & 6 deletions config/crds/kyverno.io_generaterequests.yaml
View file
Open in desktop
Expand Up @@ -182,9 +182,3 @@ spec:
storage: true
subresources:
status: {}
status:
realshuting marked this conversation as resolved.
Show resolved Hide resolved
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
6 changes: 0 additions & 6 deletions config/crds/kyverno.io_policies.yaml
View file
Open in desktop
Expand Up @@ -2563,9 +2563,3 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
6 changes: 0 additions & 6 deletions config/crds/kyverno.io_reportchangerequests.yaml
View file
Open in desktop
Expand Up @@ -354,9 +354,3 @@ spec:
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []