-
Notifications
You must be signed in to change notification settings - Fork 784
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Match endpoint to the exact Kyverno Pod's IP (#1787)
* update log message Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update printer column - validation failure action Signed-off-by: Shuting Zhao <shutting06@gmail.com> * match endpoint ip with the exact pod ip Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add tag "app.kubernetes.io/name"; - reduce throttling requests when deletes webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add [SelfSubjectAccessReview,*,*] to resource filters Signed-off-by: Shuting Zhao <shutting06@gmail.com>
- Loading branch information
1 parent
fae4809
commit 9dab216
Showing
8 changed files
with
85 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -316,6 +316,14 @@ func (wrc *Register) removePolicyMutatingWebhookConfiguration(wg *sync.WaitGroup | |
mutatingConfig := wrc.getPolicyMutatingWebhookConfigurationName() | ||
|
||
logger := wrc.log.WithValues("kind", kindMutating, "name", mutatingConfig) | ||
|
||
if mutateCache, ok := wrc.resCache.GetGVRCache("MutatingWebhookConfiguration"); ok { | ||
if _, err := mutateCache.Lister().Get(mutatingConfig); err != nil && errorsapi.IsNotFound(err) { | ||
logger.V(4).Info("webhook not found") | ||
return | ||
} | ||
} | ||
|
||
err := wrc.client.DeleteResource("", kindMutating, "", mutatingConfig, false) | ||
if errorsapi.IsNotFound(err) { | ||
logger.V(5).Info("policy mutating webhook configuration not found") | ||
|
@@ -346,6 +354,13 @@ func (wrc *Register) removePolicyValidatingWebhookConfiguration(wg *sync.WaitGro | |
validatingConfig := wrc.getPolicyValidatingWebhookConfigurationName() | ||
|
||
logger := wrc.log.WithValues("kind", kindValidating, "name", validatingConfig) | ||
if mutateCache, ok := wrc.resCache.GetGVRCache("ValidatingWebhookConfiguration"); ok { | ||
if _, err := mutateCache.Lister().Get(validatingConfig); err != nil && errorsapi.IsNotFound(err) { | ||
logger.V(4).Info("webhook not found") | ||
return | ||
} | ||
} | ||
|
||
logger.V(4).Info("removing validating webhook configuration") | ||
err := wrc.client.DeleteResource("", kindValidating, "", validatingConfig, false) | ||
if errorsapi.IsNotFound(err) { | ||
|
@@ -424,8 +439,15 @@ func (wrc *Register) removeVerifyWebhookMutatingWebhookConfig(wg *sync.WaitGroup | |
|
||
var err error | ||
mutatingConfig := wrc.getVerifyWebhookMutatingWebhookName() | ||
|
||
logger := wrc.log.WithValues("kind", kindMutating, "name", mutatingConfig) | ||
|
||
if mutateCache, ok := wrc.resCache.GetGVRCache("MutatingWebhookConfiguration"); ok { | ||
if _, err := mutateCache.Lister().Get(mutatingConfig); err != nil && errorsapi.IsNotFound(err) { | ||
logger.V(4).Info("webhook not found") | ||
return | ||
} | ||
} | ||
|
||
err = wrc.client.DeleteResource("", kindMutating, "", mutatingConfig, false) | ||
if errorsapi.IsNotFound(err) { | ||
logger.V(5).Info("verify webhook configuration not found") | ||
|
@@ -464,7 +486,7 @@ func (wrc *Register) removeSecrets() { | |
} | ||
|
||
secretList, err := wrc.client.ListResource("", "Secret", config.KyvernoNamespace, selector) | ||
if err != nil && errorsapi.IsNotFound(err) { | ||
if err != nil { | ||
wrc.log.Error(err, "failed to clean up Kyverno managed secrets") | ||
return | ||
} | ||
|
@@ -479,24 +501,45 @@ func (wrc *Register) removeSecrets() { | |
func (wrc *Register) checkEndpoint() error { | ||
obj, err := wrc.client.GetResource("", "Endpoints", config.KyvernoNamespace, config.KyvernoServiceName) | ||
if err != nil { | ||
wrc.log.Error(err, "failed to get endpoint", "ns", config.KyvernoNamespace, "name", config.KyvernoServiceName) | ||
return err | ||
return fmt.Errorf("failed to get endpoint %s/%s: %v", config.KyvernoNamespace, config.KyvernoServiceName, err) | ||
} | ||
var endpoint corev1.Endpoints | ||
err = runtime.DefaultUnstructuredConverter.FromUnstructured(obj.UnstructuredContent(), &endpoint) | ||
if err != nil { | ||
wrc.log.Error(err, "failed to convert endpoint from unstructured", "ns", config.KyvernoNamespace, "name", config.KyvernoServiceName) | ||
return err | ||
return fmt.Errorf("failed to convert endpoint %s/%s from unstructured: %v", config.KyvernoNamespace, config.KyvernoServiceName, err) | ||
} | ||
|
||
pods, err := wrc.client.ListResource("", "Pod", config.KyvernoNamespace, &v1.LabelSelector{MatchLabels: map[string]string{"app.kubernetes.io/name": "kyverno"}}) | ||
if err != nil { | ||
return fmt.Errorf("failed to list Kyverno Pod: %v", err) | ||
} | ||
|
||
kyverno := pods.Items[0] | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
realshuting
Author
Member
|
||
podIp, _, err := unstructured.NestedString(kyverno.UnstructuredContent(), "status", "podIP") | ||
if err != nil { | ||
return fmt.Errorf("failed to extract pod IP: %v", err) | ||
} | ||
|
||
if podIp == "" { | ||
return fmt.Errorf("Pod is not assigned to any node yet") | ||
} | ||
|
||
for _, subset := range endpoint.Subsets { | ||
if len(subset.Addresses) == 0 { | ||
continue | ||
} | ||
if subset.Addresses[0].IP != "" { | ||
wrc.log.Info("Endpoint ready", "ns", config.KyvernoNamespace, "name", config.KyvernoServiceName) | ||
return nil | ||
|
||
for _, addr := range subset.Addresses { | ||
if addr.IP == podIp { | ||
wrc.log.Info("Endpoint ready", "ns", config.KyvernoNamespace, "name", config.KyvernoServiceName) | ||
return nil | ||
} | ||
} | ||
} | ||
|
||
// clean up old webhook configurations, if any | ||
wrc.removeWebhookConfigurations() | ||
|
||
err = fmt.Errorf("Endpoint not ready") | ||
wrc.log.V(3).Info(err.Error(), "ns", config.KyvernoNamespace, "name", config.KyvernoServiceName) | ||
return err | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I have a crash here while trying to run deployment out of cluster: