update webhook registration and monitor (kyverno#1318)

* update webhook registration and monitor

* update log

* fix test

* improve logs

* improve logs

* format changes

* decrease interval for webhook config checks

cmd/kyverno/main.go

@@ -9,7 +9,6 @@ import (
 	"os"
 	"time"
 
-	"github.com/kyverno/kyverno/pkg/checker"
 	kyvernoclient "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
 	kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions"
 	"github.com/kyverno/kyverno/pkg/common"
@@ -137,23 +136,16 @@ func main() {
 	kubeInformer := kubeinformers.NewSharedInformerFactoryWithOptions(kubeClient, resyncPeriod)
 	kubedynamicInformer := client.NewDynamicSharedInformerFactory(resyncPeriod)
 
-	webhookRegistrationClient := webhookconfig.NewWebhookRegistrationClient(
+	webhookCfg := webhookconfig.NewRegister(
 		clientConfig,
 		client,
 		serverIP,
 		int32(webhookTimeout),
 		log.Log)
 
 	// Resource Mutating Webhook Watcher
-	lastReqTime := checker.NewLastReqTime(log.Log.WithName("LastReqTime"))
-	rWebhookWatcher := webhookconfig.NewResourceWebhookRegister(
-		lastReqTime,
-		kubeInformer.Admissionregistration().V1beta1().MutatingWebhookConfigurations(),
-		kubeInformer.Admissionregistration().V1beta1().ValidatingWebhookConfigurations(),
-		webhookRegistrationClient,
-		runValidationInMutatingWebhook,
-		log.Log.WithName("ResourceWebhookRegister"),
-	)
+	webhookMonitor := webhookconfig.NewMonitor(log.Log.WithName("WebhookMonitor"))
+
 
 	// KYVERNO CRD INFORMER
 	// watches CRD resources:
@@ -224,7 +216,6 @@ func main() {
 		configData,
 		eventGenerator,
 		reportReqGen,
-		rWebhookWatcher,
 		kubeInformer.Core().V1().Namespaces(),
 		log.Log.WithName("PolicyController"),
 		rCache,
@@ -282,20 +273,16 @@ func main() {
 		rCache,
 	)
 
-	// CONFIGURE CERTIFICATES
+	// Configure certificates
 	tlsPair, err := client.InitTLSPemPair(clientConfig, fqdncn)
 	if err != nil {
 		setupLog.Error(err, "Failed to initialize TLS key/certificate pair")
 		os.Exit(1)
 	}
 
-	// WEBHOOK REGISTRATION
-	// - mutating,validatingwebhookconfiguration (Policy)
-	// - verifymutatingwebhookconfiguration (Kyverno Deployment)
-	// resource webhook confgiuration is generated dynamically in the webhook server and policy controller
-	// based on the policy resources created
-	if err = webhookRegistrationClient.Register(); err != nil {
-		setupLog.Error(err, "Failed to register Admission webhooks")
+	// Register webhookCfg
+	if err = webhookCfg.Register(); err != nil {
+		setupLog.Error(err, "Failed to register admission control webhooks")
 		os.Exit(1)
 	}
 
@@ -327,12 +314,12 @@ func main() {
 		kubeInformer.Rbac().V1().ClusterRoles(),
 		eventGenerator,
 		pCacheController.Cache,
-		webhookRegistrationClient,
+		webhookCfg,
+		webhookMonitor,
 		statusSync.Listener,
 		configData,
 		reportReqGen,
 		grgen,
-		rWebhookWatcher,
 		auditHandler,
 		supportMutateValidate,
 		cleanUp,
@@ -354,7 +341,6 @@ func main() {
 	go reportReqGen.Run(2, stopCh)
 	go prgen.Run(1, stopCh)
 	go grgen.Run(1)
-	go rWebhookWatcher.Run(stopCh)
 	go configData.Run(stopCh)
 	go policyCtrl.Run(2, stopCh)
 	go eventGenerator.Run(3, stopCh)
@@ -366,11 +352,7 @@ func main() {
 	openAPISync.Run(1, stopCh)
 
 	// verifies if the admission control is enabled and active
-	// resync: 60 seconds
-	// deadline: 60 seconds (send request)
-	// max deadline: deadline*3 (set the deployment annotation as false)
 	server.RunAsync(stopCh)
-
 	<-stopCh
 
 	// by default http.Server waits indefinitely for connections to return to idle and then shuts down

pkg/config/config.go

@@ -15,32 +15,32 @@ const (
 	//MutatingWebhookConfigurationDebugName default resource mutating webhook configuration name for debug mode
 	MutatingWebhookConfigurationDebugName = "kyverno-resource-mutating-webhook-cfg-debug"
 	//MutatingWebhookName default resource mutating webhook name
-	MutatingWebhookName = "nirmata.kyverno.resource.mutating-webhook"
+	MutatingWebhookName = "mutate.kyverno.svc"
 
 	ValidatingWebhookConfigurationName      = "kyverno-resource-validating-webhook-cfg"
 	ValidatingWebhookConfigurationDebugName = "kyverno-resource-validating-webhook-cfg-debug"
-	ValidatingWebhookName                   = "nirmata.kyverno.resource.validating-webhook"
+	ValidatingWebhookName                   = "validate.kyverno.svc"
 
 	//VerifyMutatingWebhookConfigurationName default verify mutating webhook configuration name
 	VerifyMutatingWebhookConfigurationName = "kyverno-verify-mutating-webhook-cfg"
 	//VerifyMutatingWebhookConfigurationDebugName default verify mutating webhook configuration name for debug mode
 	VerifyMutatingWebhookConfigurationDebugName = "kyverno-verify-mutating-webhook-cfg-debug"
 	//VerifyMutatingWebhookName default verify mutating webhook name
-	VerifyMutatingWebhookName = "nirmata.kyverno.verify-mutating-webhook"
+	VerifyMutatingWebhookName = "monitor-webhooks.kyverno.svc"
 
 	//PolicyValidatingWebhookConfigurationName default policy validating webhook configuration name
 	PolicyValidatingWebhookConfigurationName = "kyverno-policy-validating-webhook-cfg"
 	//PolicyValidatingWebhookConfigurationDebugName default policy validating webhook configuration name for debug mode
 	PolicyValidatingWebhookConfigurationDebugName = "kyverno-policy-validating-webhook-cfg-debug"
 	//PolicyValidatingWebhookName default policy validating webhook name
-	PolicyValidatingWebhookName = "nirmata.kyverno.policy-validating-webhook"
+	PolicyValidatingWebhookName = "validate-policy.kyverno.svc"
 
 	//PolicyMutatingWebhookConfigurationName default policy mutating webhook configuration name
 	PolicyMutatingWebhookConfigurationName = "kyverno-policy-mutating-webhook-cfg"
 	//PolicyMutatingWebhookConfigurationDebugName default policy mutating webhook configuration name for debug mode
 	PolicyMutatingWebhookConfigurationDebugName = "kyverno-policy-mutating-webhook-cfg-debug"
 	//PolicyMutatingWebhookName default policy mutating webhook name
-	PolicyMutatingWebhookName = "nirmata.kyverno.policy-mutating-webhook"
+	PolicyMutatingWebhookName = "mutate-policy.kyverno.svc"
 
 	// Due to kubernetes issue, we must use next literal constants instead of deployment TypeMeta fields
 	// Issue: https://github.com/kubernetes/kubernetes/pull/63972
@@ -54,26 +54,33 @@ const (
 )
 
 var (
-	//KubePolicyNamespace is the kyverno policy namespace
-	KubePolicyNamespace = getKyvernoNameSpace()
-	// KubePolicyDeploymentName define the default deployment namespace
-	KubePolicyDeploymentName = "kyverno"
+	//KyvernoNamespace is the Kyverno namespace
+	KyvernoNamespace = getKyvernoNameSpace()
 
-	//WebhookServiceName default kyverno webhook service name
-	WebhookServiceName = getWebhookServiceName()
+	// KyvernoDeploymentName is the Kyverno deployment name
+	KyvernoDeploymentName = getKyvernoDeploymentName()
+
+	//KyvernoServiceName is the Kyverno service name
+	KyvernoServiceName = getKyvernoServiceName()
 
 	//MutatingWebhookServicePath is the path for mutation webhook
 	MutatingWebhookServicePath = "/mutate"
+
 	//ValidatingWebhookServicePath is the path for validation webhook
 	ValidatingWebhookServicePath = "/validate"
+
 	//PolicyValidatingWebhookServicePath is the path for policy validation webhook(used to validate policy resource)
 	PolicyValidatingWebhookServicePath = "/policyvalidate"
+
 	//PolicyMutatingWebhookServicePath is the path for policy mutation webhook(used to default)
 	PolicyMutatingWebhookServicePath = "/policymutate"
+
 	//VerifyMutatingWebhookServicePath is the path for verify webhook(used to veryfing if admission control is enabled and active)
 	VerifyMutatingWebhookServicePath = "/verifymutate"
+
 	// LivenessServicePath is the path for check liveness health
 	LivenessServicePath = "/health/liveness"
+
 	// ReadinessServicePath is the path for check readness health
 	ReadinessServicePath = "/health/readiness"
 )
@@ -98,11 +105,20 @@ func getKyvernoNameSpace() string {
 	return kyvernoNamespace
 }
 
-// getWebhookServiceName - setting default WebhookServiceName
-func getWebhookServiceName() string {
+// getKyvernoServiceName - setting default KyvernoServiceName
+func getKyvernoServiceName() string {
 	webhookServiceName := os.Getenv("KYVERNO_SVC")
 	if webhookServiceName == "" {
 		webhookServiceName = "kyverno-svc"
 	}
 	return webhookServiceName
 }
+
+// getKyvernoDeploymentName - setting default KyvernoServiceName
+func getKyvernoDeploymentName() string {
+	name := os.Getenv("KYVERNO_DEPLOYMENT")
+	if name == "" {
+		name = "kyverno"
+	}
+	return name
+}

pkg/dclient/certificates.go

@@ -234,8 +234,8 @@ func (c *Client) GetTLSCertProps(configuration *rest.Config) (certProps tls.Cert
 		return certProps, err
 	}
 	certProps = tls.CertificateProps{
-		Service:       config.WebhookServiceName,
-		Namespace:     config.KubePolicyNamespace,
+		Service:       config.KyvernoServiceName,
+		Namespace:     config.KyvernoNamespace,
 		APIServerHost: apiServerURL.Hostname(),
 	}
 	return certProps, nil

pkg/dclient/client.go

@@ -75,7 +75,7 @@ func (c *Client) NewDynamicSharedInformerFactory(defaultResync time.Duration) dy
 
 //GetKubePolicyDeployment returns kube policy depoyment value
 func (c *Client) GetKubePolicyDeployment() (*apps.Deployment, error) {
-	kubePolicyDeployment, err := c.GetResource("", "Deployment", config.KubePolicyNamespace, config.KubePolicyDeploymentName)
+	kubePolicyDeployment, err := c.GetResource("", "Deployment", config.KyvernoNamespace, config.KyvernoDeploymentName)
 	if err != nil {
 		return nil, err
 	}

pkg/dclient/client_test.go

@@ -40,7 +40,7 @@ func newFixture(t *testing.T) *fixture {
 		newUnstructured("group/version", "TheKind", "ns-foo", "name-bar"),
 		newUnstructured("group/version", "TheKind", "ns-foo", "name-baz"),
 		newUnstructured("group2/version", "TheKind", "ns-foo", "name2-baz"),
-		newUnstructured("apps/v1", "Deployment", config.KubePolicyNamespace, config.KubePolicyDeploymentName),
+		newUnstructured("apps/v1", "Deployment", config.KyvernoNamespace, config.KyvernoDeploymentName),
 	}
 	scheme := runtime.NewScheme()
 	// Create mock client

pkg/generate/cleanup/controller.go

@@ -80,7 +80,7 @@ func NewController(
 	c.syncHandler = c.syncGenerateRequest
 
 	c.pLister = pInformer.Lister()
-	c.grLister = grInformer.Lister().GenerateRequests(config.KubePolicyNamespace)
+	c.grLister = grInformer.Lister().GenerateRequests(config.KyvernoNamespace)
 
 	c.pSynced = pInformer.Informer().HasSynced
 	c.grSynced = grInformer.Informer().HasSynced

pkg/generate/cleanup/resource.go

@@ -20,5 +20,5 @@ type Control struct {
 
 //Delete deletes the specified resource
 func (c Control) Delete(gr string) error {
-	return c.client.KyvernoV1().GenerateRequests(config.KubePolicyNamespace).Delete(context.TODO(), gr, metav1.DeleteOptions{})
+	return c.client.KyvernoV1().GenerateRequests(config.KyvernoNamespace).Delete(context.TODO(), gr, metav1.DeleteOptions{})
 }

pkg/generate/controller.go

@@ -109,7 +109,7 @@ func NewController(
 	c.syncHandler = c.syncGenerateRequest
 
 	c.pLister = pInformer.Lister()
-	c.grLister = grInformer.Lister().GenerateRequests(config.KubePolicyNamespace)
+	c.grLister = grInformer.Lister().GenerateRequests(config.KyvernoNamespace)
 
 	c.pSynced = pInformer.Informer().HasSynced
 	c.grSynced = pInformer.Informer().HasSynced