-
Notifications
You must be signed in to change notification settings - Fork 762
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Move K8scel driver from framework #3570
Changes from all commits
ebb08b7
94cad3f
78c4ef4
99c98e9
eeee348
fcde683
78f720f
02c4374
617d47f
d17700d
6f598fa
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We should probably just wait for the scheme.Convert() bug to be fixed, as that's the "proper K8s" way to convert across versions. In general, core libraries should deal only with unversioned representations. This has the added advantage of reducing merge conflicts with your PR. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm ok with leaving it as is. but can we add a TODO comment for the bug and open an issue so we can come back to it later to clean it up? @JaydipGabani There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I added the TODO -
This is the response I got "Conversion is only defined to the internal "hub" API type, not directly from one external version to another, and is only done by the api server, not by clients." I will follow up with api-server to see if this is something that can be fixed. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. hmm then sounds like its not a bug. not a blocker for this PR tho. |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -27,12 +27,12 @@ import ( | |
"github.com/go-logr/logr" | ||
"github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1" | ||
constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" | ||
celSchema "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/k8scel/schema" | ||
"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/k8scel/transform" | ||
"github.com/open-policy-agent/frameworks/constraint/pkg/core/templates" | ||
constraintstatusv1beta1 "github.com/open-policy-agent/gatekeeper/v3/apis/status/v1beta1" | ||
"github.com/open-policy-agent/gatekeeper/v3/pkg/controller/config/process" | ||
"github.com/open-policy-agent/gatekeeper/v3/pkg/controller/constraintstatus" | ||
celSchema "github.com/open-policy-agent/gatekeeper/v3/pkg/drivers/k8scel/schema" | ||
"github.com/open-policy-agent/gatekeeper/v3/pkg/drivers/k8scel/transform" | ||
"github.com/open-policy-agent/gatekeeper/v3/pkg/logging" | ||
"github.com/open-policy-agent/gatekeeper/v3/pkg/metrics" | ||
"github.com/open-policy-agent/gatekeeper/v3/pkg/operations" | ||
|
@@ -49,8 +49,6 @@ import ( | |
"k8s.io/apimachinery/pkg/runtime" | ||
"k8s.io/apimachinery/pkg/runtime/schema" | ||
"k8s.io/apimachinery/pkg/types" | ||
"k8s.io/client-go/kubernetes" | ||
rest "k8s.io/client-go/rest" | ||
"k8s.io/utils/ptr" | ||
"sigs.k8s.io/controller-runtime/pkg/client" | ||
"sigs.k8s.io/controller-runtime/pkg/client/apiutil" | ||
|
@@ -75,11 +73,6 @@ var ( | |
ErrValidatingAdmissionPolicyAPIDisabled = errors.New("ValidatingAdmissionPolicy API is not enabled") | ||
ErrVAPConditionsNotSatisfied = errors.New("Conditions are not satisfied to generate ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding") | ||
) | ||
var vapMux sync.RWMutex | ||
|
||
var VapAPIEnabled *bool | ||
|
||
var GroupVersion *schema.GroupVersion | ||
|
||
type Adder struct { | ||
CFClient *constraintclient.Client | ||
|
@@ -317,7 +310,7 @@ func (r *ReconcileConstraint) Reconcile(ctx context.Context, request reconcile.R | |
isAPIEnabled := false | ||
var groupVersion *schema.GroupVersion | ||
if generateVAPB { | ||
isAPIEnabled, groupVersion = IsVapAPIEnabled() | ||
isAPIEnabled, groupVersion = transform.IsVapAPIEnabled(&log) | ||
} | ||
if generateVAPB { | ||
if !isAPIEnabled { | ||
|
@@ -620,67 +613,6 @@ func (c *ConstraintsCache) reportTotalConstraints(ctx context.Context, reporter | |
} | ||
} | ||
|
||
func IsVapAPIEnabled() (bool, *schema.GroupVersion) { | ||
vapMux.RLock() | ||
if VapAPIEnabled != nil { | ||
apiEnabled, gvk := *VapAPIEnabled, GroupVersion | ||
vapMux.RUnlock() | ||
return apiEnabled, gvk | ||
} | ||
|
||
vapMux.RUnlock() | ||
vapMux.Lock() | ||
defer vapMux.Unlock() | ||
|
||
if VapAPIEnabled != nil { | ||
return *VapAPIEnabled, GroupVersion | ||
} | ||
config, err := rest.InClusterConfig() | ||
if err != nil { | ||
log.Info("IsVapAPIEnabled InClusterConfig", "error", err) | ||
VapAPIEnabled = new(bool) | ||
*VapAPIEnabled = false | ||
return false, nil | ||
} | ||
clientset, err := kubernetes.NewForConfig(config) | ||
if err != nil { | ||
log.Info("IsVapAPIEnabled NewForConfig", "error", err) | ||
*VapAPIEnabled = false | ||
return false, nil | ||
} | ||
|
||
groupVersion := admissionregistrationv1.SchemeGroupVersion | ||
resList, err := clientset.Discovery().ServerResourcesForGroupVersion(groupVersion.String()) | ||
if err == nil { | ||
for i := 0; i < len(resList.APIResources); i++ { | ||
if resList.APIResources[i].Name == "validatingadmissionpolicies" { | ||
VapAPIEnabled = new(bool) | ||
*VapAPIEnabled = true | ||
GroupVersion = &groupVersion | ||
return true, GroupVersion | ||
} | ||
} | ||
} | ||
|
||
groupVersion = admissionregistrationv1beta1.SchemeGroupVersion | ||
resList, err = clientset.Discovery().ServerResourcesForGroupVersion(groupVersion.String()) | ||
if err == nil { | ||
for i := 0; i < len(resList.APIResources); i++ { | ||
if resList.APIResources[i].Name == "validatingadmissionpolicies" { | ||
VapAPIEnabled = new(bool) | ||
*VapAPIEnabled = true | ||
GroupVersion = &groupVersion | ||
return true, GroupVersion | ||
} | ||
} | ||
} | ||
|
||
log.Error(err, "error checking VAP API availability", "IsVapAPIEnabled", "false") | ||
VapAPIEnabled = new(bool) | ||
*VapAPIEnabled = false | ||
return false, nil | ||
} | ||
|
||
func vapBindingForVersion(gvk schema.GroupVersion) (client.Object, error) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I agree with @maxsmythe on
Let's not move there two methods. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done |
||
switch gvk.Version { | ||
case "v1": | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
package k8scel | ||
|
||
type Arg func(*Driver) error | ||
|
||
// GatherStats starts collecting various stats around the | ||
// underlying engine's calls. | ||
func GatherStats() Arg { | ||
return func(driver *Driver) error { | ||
driver.gatherStats = true | ||
|
||
return nil | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@abhipatnala this should point to e78c8abd754aa12538eb21ee0c145cbe5465569d