Skip to content

Commit

Permalink
Match endpoint to the exact Kyverno Pod's IP (#1787)
Browse files Browse the repository at this point in the history 
* update log message

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update printer column - validation failure action

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* match endpoint ip with the exact pod ip

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* - add tag "app.kubernetes.io/name"; - reduce throttling requests when deletes webhook configs

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add [SelfSubjectAccessReview,*,*] to resource filters

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
  • Loading branch information
@realshuting
realshuting committed Apr 13, 2021
1 parent fae4809 commit 9dab216
Show file tree
Hide file tree
Showing 8 changed files with 85 additions and 12 deletions.
1 change: 1 addition & 0 deletions charts/kyverno/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,7 @@ config:
- "[APIService,*,*]"
- "[TokenReview,*,*]"
- "[SubjectAccessReview,*,*]"
- "[SelfSubjectAccessReview,*,*]"
- "[*,kyverno,*]"
- "[Binding,*,*]"
- "[ReplicaSet,*,*]"
Expand Down
7 changes: 6 additions & 1 deletion definitions/install.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2386,7 +2386,7 @@ subjects:
apiVersion: v1
data:
excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
kind: ConfigMap
metadata:
name: init-config
Expand All @@ -2397,6 +2397,7 @@ kind: Service
metadata:
labels:
app: kyverno
app.kubernetes.io/name: kyverno
name: kyverno-svc
namespace: kyverno
spec:
Expand All @@ -2405,23 +2406,27 @@ spec:
targetPort: https
selector:
app: kyverno
app.kubernetes.io/name: kyverno
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: kyverno
app.kubernetes.io/name: kyverno
name: kyverno
namespace: kyverno
spec:
replicas: 1
selector:
matchLabels:
app: kyverno
app.kubernetes.io/name: kyverno
template:
metadata:
labels:
app: kyverno
app.kubernetes.io/name: kyverno
spec:
containers:
- args:
Expand Down
4 changes: 3 additions & 1 deletion definitions/install_debug.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2386,7 +2386,7 @@ subjects:
apiVersion: v1
data:
excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
kind: ConfigMap
metadata:
name: init-config
Expand All @@ -2397,6 +2397,7 @@ kind: Service
metadata:
labels:
app: kyverno
app.kubernetes.io/name: kyverno
name: kyverno-svc
namespace: kyverno
spec:
Expand All @@ -2405,3 +2406,4 @@ spec:
targetPort: https
selector:
app: kyverno
app.kubernetes.io/name: kyverno
2 changes: 2 additions & 0 deletions definitions/k8s-resource/clusterroles.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,14 @@ metadata:
name: kyverno-svc
labels:
app: kyverno
app.kubernetes.io/name: kyverno
spec:
ports:
- port: 443
targetPort: https
selector:
app: kyverno
app.kubernetes.io/name: kyverno
---
apiVersion: v1
kind: ServiceAccount
Expand Down
2 changes: 1 addition & 1 deletion definitions/k8s-resource/configmap.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v1
data:
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
excludeGroupRole: 'system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler'
kind: ConfigMap
metadata:
Expand Down
3 changes: 3 additions & 0 deletions definitions/manifest/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,18 @@ metadata:
name: kyverno
labels:
app: kyverno
app.kubernetes.io/name: kyverno
spec:
selector:
matchLabels:
app: kyverno
app.kubernetes.io/name: kyverno
replicas: 1
template:
metadata:
labels:
app: kyverno
app.kubernetes.io/name: kyverno
spec:
serviceAccountName: kyverno-service-account
securityContext:
Expand Down
61 changes: 52 additions & 9 deletions pkg/webhookconfig/registration.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -316,6 +316,14 @@ func (wrc *Register) removePolicyMutatingWebhookConfiguration(wg *sync.WaitGroup
mutatingConfig := wrc.getPolicyMutatingWebhookConfigurationName()

logger := wrc.log.WithValues("kind", kindMutating, "name", mutatingConfig)

if mutateCache, ok := wrc.resCache.GetGVRCache("MutatingWebhookConfiguration"); ok {
if _, err := mutateCache.Lister().Get(mutatingConfig); err != nil && errorsapi.IsNotFound(err) {
logger.V(4).Info("webhook not found")
return
}
}

err := wrc.client.DeleteResource("", kindMutating, "", mutatingConfig, false)
if errorsapi.IsNotFound(err) {
logger.V(5).Info("policy mutating webhook configuration not found")
Expand Down Expand Up @@ -346,6 +354,13 @@ func (wrc *Register) removePolicyValidatingWebhookConfiguration(wg *sync.WaitGro
validatingConfig := wrc.getPolicyValidatingWebhookConfigurationName()

logger := wrc.log.WithValues("kind", kindValidating, "name", validatingConfig)
if mutateCache, ok := wrc.resCache.GetGVRCache("ValidatingWebhookConfiguration"); ok {
if _, err := mutateCache.Lister().Get(validatingConfig); err != nil && errorsapi.IsNotFound(err) {
logger.V(4).Info("webhook not found")
return
}
}

logger.V(4).Info("removing validating webhook configuration")
err := wrc.client.DeleteResource("", kindValidating, "", validatingConfig, false)
if errorsapi.IsNotFound(err) {
Expand Down Expand Up @@ -424,8 +439,15 @@ func (wrc *Register) removeVerifyWebhookMutatingWebhookConfig(wg *sync.WaitGroup

var err error
mutatingConfig := wrc.getVerifyWebhookMutatingWebhookName()

logger := wrc.log.WithValues("kind", kindMutating, "name", mutatingConfig)

if mutateCache, ok := wrc.resCache.GetGVRCache("MutatingWebhookConfiguration"); ok {
if _, err := mutateCache.Lister().Get(mutatingConfig); err != nil && errorsapi.IsNotFound(err) {
logger.V(4).Info("webhook not found")
return
}
}

err = wrc.client.DeleteResource("", kindMutating, "", mutatingConfig, false)
if errorsapi.IsNotFound(err) {
logger.V(5).Info("verify webhook configuration not found")
Expand Down Expand Up @@ -464,7 +486,7 @@ func (wrc *Register) removeSecrets() {
}

secretList, err := wrc.client.ListResource("", "Secret", config.KyvernoNamespace, selector)
if err != nil && errorsapi.IsNotFound(err) {
if err != nil {
wrc.log.Error(err, "failed to clean up Kyverno managed secrets")
return
}
Expand All @@ -479,24 +501,45 @@ func (wrc *Register) removeSecrets() {
func (wrc *Register) checkEndpoint() error {
obj, err := wrc.client.GetResource("", "Endpoints", config.KyvernoNamespace, config.KyvernoServiceName)
if err != nil {
wrc.log.Error(err, "failed to get endpoint", "ns", config.KyvernoNamespace, "name", config.KyvernoServiceName)
return err
return fmt.Errorf("failed to get endpoint %s/%s: %v", config.KyvernoNamespace, config.KyvernoServiceName, err)
}
var endpoint corev1.Endpoints
err = runtime.DefaultUnstructuredConverter.FromUnstructured(obj.UnstructuredContent(), &endpoint)
if err != nil {
wrc.log.Error(err, "failed to convert endpoint from unstructured", "ns", config.KyvernoNamespace, "name", config.KyvernoServiceName)
return err
return fmt.Errorf("failed to convert endpoint %s/%s from unstructured: %v", config.KyvernoNamespace, config.KyvernoServiceName, err)
}

pods, err := wrc.client.ListResource("", "Pod", config.KyvernoNamespace, &v1.LabelSelector{MatchLabels: map[string]string{"app.kubernetes.io/name": "kyverno"}})
if err != nil {
return fmt.Errorf("failed to list Kyverno Pod: %v", err)
}

kyverno := pods.Items[0]

This comment has been minimized.

Sign in to view

Copy link
@kacejot

kacejot Apr 14, 2021

Contributor

I have a crash here while trying to run deployment out of cluster:

I0414 12:20:41.213665   48868 registration.go:66] Register "msg"="Registering webhook"  "url"="https://192.168.88.254:9443"
panic: runtime error: index out of range [0] with length 0

goroutine 1059 [running]:
github.com/kyverno/kyverno/pkg/webhookconfig.(*Register).checkEndpoint(0xc000716140, 0x0, 0x0)
	/home/umka/go/src/github.com/kyverno/kyverno/pkg/webhookconfig/registration.go:517 +0x154c
github.com/kyverno/kyverno/pkg/webhookconfig.(*Register).Register(0xc000716140, 0x0, 0x0)
	/home/umka/go/src/github.com/kyverno/kyverno/pkg/webhookconfig/registration.go:68 +0x295
main.main.func2(0xc000716140)
	/home/umka/go/src/github.com/kyverno/kyverno/cmd/kyverno/main.go:309 +0x1a5
created by main.main
	/home/umka/go/src/github.com/kyverno/kyverno/cmd/kyverno/main.go:300 +0x2b6c

This comment has been minimized.

Sign in to view

Copy link
@realshuting

realshuting Apr 14, 2021

Author Member

@vyankyGH - I recall we discussed a similar issue, can we also use that flag debug to skip the check here? Let's send the PR to fix it.

This comment has been minimized.

Sign in to view

Copy link
@kacejot

kacejot Apr 14, 2021

Contributor

@realshuting, which flag? If there are some instructions changed to run dev environment, could someone update this wiki page, please?

This comment has been minimized.

Sign in to view

Copy link
@realshuting

realshuting Apr 14, 2021

Author Member

This debug flag:

kyverno/cmd/kyverno/main.go

Line 337 in 0e3e42e

debug := serverIP != ""

@vyankd - can you send the PR? And let's update the wiki accordingly.
podIp, _, err := unstructured.NestedString(kyverno.UnstructuredContent(), "status", "podIP")
if err != nil {
return fmt.Errorf("failed to extract pod IP: %v", err)
}

if podIp == "" {
return fmt.Errorf("Pod is not assigned to any node yet")
}

for _, subset := range endpoint.Subsets {
if len(subset.Addresses) == 0 {
continue
}
if subset.Addresses[0].IP != "" {
wrc.log.Info("Endpoint ready", "ns", config.KyvernoNamespace, "name", config.KyvernoServiceName)
return nil

for _, addr := range subset.Addresses {
if addr.IP == podIp {
wrc.log.Info("Endpoint ready", "ns", config.KyvernoNamespace, "name", config.KyvernoServiceName)
return nil
}
}
}

// clean up old webhook configurations, if any
wrc.removeWebhookConfigurations()

err = fmt.Errorf("Endpoint not ready")
wrc.log.V(3).Info(err.Error(), "ns", config.KyvernoNamespace, "name", config.KyvernoServiceName)
return err
Expand Down
17 changes: 17 additions & 0 deletions pkg/webhookconfig/resource.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"github.com/kyverno/kyverno/pkg/config"
admregapi "k8s.io/api/admissionregistration/v1beta1"
"k8s.io/apimachinery/pkg/api/errors"
errorsapi "k8s.io/apimachinery/pkg/api/errors"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

Expand Down Expand Up @@ -70,6 +71,14 @@ func (wrc *Register) removeResourceMutatingWebhookConfiguration(wg *sync.WaitGro

configName := wrc.getResourceMutatingWebhookConfigName()
logger := wrc.log.WithValues("kind", kindMutating, "name", configName)

if mutateCache, ok := wrc.resCache.GetGVRCache("MutatingWebhookConfiguration"); ok {
if _, err := mutateCache.Lister().Get(configName); err != nil && errorsapi.IsNotFound(err) {
logger.V(4).Info("webhook not found")
return
}
}

// delete webhook configuration
err := wrc.client.DeleteResource("", kindMutating, "", configName, false)
if errors.IsNotFound(err) {
Expand Down Expand Up @@ -146,6 +155,14 @@ func (wrc *Register) removeResourceValidatingWebhookConfiguration(wg *sync.WaitG

configName := wrc.getResourceValidatingWebhookConfigName()
logger := wrc.log.WithValues("kind", kindValidating, "name", configName)

if mutateCache, ok := wrc.resCache.GetGVRCache("ValidatingWebhookConfiguration"); ok {
if _, err := mutateCache.Lister().Get(configName); err != nil && errorsapi.IsNotFound(err) {
logger.V(4).Info("webhook not found")
return
}
}

err := wrc.client.DeleteResource("", kindValidating, "", configName, false)
if errors.IsNotFound(err) {
logger.V(5).Info("webhook configuration not found")
Expand Down

0 comments on commit 9dab216

Please sign in to comment.